Data protection & GDPR

The topic of data protection is omnipresent: in the business sector as well as in the private sphere. In 2018, all companies will be faced with far-reaching changes in terms of data protection: From 25 May 2018, the General Data Protection Regulation (GDPR) of the European Union (EU) will also apply in Germany - a rule that applies throughout the EU. Under the new EU law, the previous Federal Data Protection Act (BDSG) and the EU Data Protection Directive (Directive 95/46 / EC), on which the BDSG is based, are no longer directly applicable.

The EU-GDPR standardizes the rules for the processing of personal data by private companies and public authorities across the EU. The aim is, on the one hand, to ensure the protection of personal data within the European Union and, on the other hand, to ensure the free movement of data within the European single market.

The most important topics, requirements and information in a compact form:

  • Greater involvement of the data protection officer, defining responsibilities 
  • Establishing a privacy impact assessment as a process 
  • Designing processes: Reporting obligations in the event of data breach
  • Shaping other processes: rights of the party concerned, information duties, etc. 
  • Documenting all processes
  • Adapting contract data processing (CDP) 
  • Reviewing the procedure index
  • For processors of orders: Creating a new list of processing activities
  • Establishing a training schedule
  • Documenting and evaluating technical and organisational measures (TOM) and defining responsibilities
  • Testing the effectiveness of the TOM, planning penetration tests and information security management
  • If necessary, planning the technical implementation of the rights of the parties concerned - information, data transferability, etc.
  • Reviewing forms and consents
  • Adapting data protection declaration, adjust web tracking if necessary

Your Data Protection Dashboard in the TQG businessApp platform

So how can you implement the EU-GDPR practically and with the necessary respect?
  1. Interpret the law for yourself and your organisation, define your individual requirements and draw up a short-term list of measures, as well as long-term organisational processes, with deadlines for monitoring compliance and, if necessary, a CIP. 
  2. According to the legal regulations, certain personal data must be stored in an audit-proof manner and protected against deletion and manipulation. A major innovation in the EU-GDPR is the “right to be forgotten”. It must therefore be possible to delete data, including links and references. An enterprise-wide, cross-departmental information (data) management solution in the sense of EIM (Enterprise Information Management) is a long-term, measurable investment for a future-orientated solution, which is above all modularly expandable to react to agile changes in your company's digital strategy (data protection is an important part of it!).
  3. When securing your data and compliance, it is usually advisable to rely on proven support. Consultancy firms and solution providers have prepared themselves well for the topic of EU-GDPR and positioned themselves with appropriate checklists and solutions. A good decision is for both consulting and the solution to come from a single source, such as the TQG businessApp platform, with an app as a data protection dashboard. Here you have contracts, documents, procedural control, persons in charge, cases and obligations to provide evidence/reporting, all clearly arranged in one app, configurable and expandable.

Comment piece

Digital change proves its status in dealing with the new GDPR - Respectful handling or alarmism: how sustainability, transparency and commitment can be put into practice.

Steffen Schaar, Member of the Management Board of The Quality Group GmbH, comments on the media excitement surrounding the upcoming GDPR and presents ideas for successfully meeting the challenges.

He writes: "To put it succinctly, “The benchmark is not the medium, but the employees are. Their actions, in the sense of transparent documentation, filing and compliance with organisational processes, allow the EU-GDPR to be properly anchored in companies”. That way, it is not a threat, but rather a benefit in the sense of data (protection), the careful handling of sensitive personal data, and also in relation to the deletion of data."

Read more