As from 25. May 2018, the European Data Protection Regulation replaces the EU Data Protection Directive from 1995 and constitutes the new legal framework for data protection by means of which companies need to adapt their operations.
The aim is to regulate corporate processing of personal data and to create an appropriate balance between economic and consumer interests. As a result, the new European Data Protection Regulation includes several new requirements and changes in handling personal data.
One important change is the strengthening of user rights. Worth mentioning is the “right to be forgotten”, forcing the company to delete personal data on request. In addition, the “purpose limitation principle on personal data used” or the “principle of data economy”, which was already called for in the German Federal Data Protection Act will be strengthened. Also, the processing of personal data must now be explicitly approved by the customer.
The new European Data Protection Regulation introduces also tougher sanctions in the event of privacy violations as well as “proof of innocence”. In the event of a breach of data privacy, companies will in future have to reckon with fines up to EUR 20 million or up to four percent of the annual turnover. Within the context of “proof of innocence”, companies will in future have to demonstrate that they have complied with all the rules and taken measures to avoid data protection violation. Thus far, it has been up to the authorities responsible to prove an instance of violation.
In addition, the new European Data Protection Regulation requires that data security in companies is checked regularly, evaluated and that appropriate technical and organizational measures are introduced to ensure an adequate level of protection in case of a risk. This includes, for example, the use of pseudonyms and encryption of data or safeguarding data availability.
Furthermore, the data protection declaration as well as the contact and registration forms on the company website are required to be modified as a result of the new European Data Protection Regulation. In addition, many companies need to appoint a data protection officer whose contact details are required to be published.
In summary, the new European Data Protection Regulation exacts greater demands on data protection and the legally-compliant handling of the data. The rights of users will also be strengthened, and data protection given greater relevance.
Arqum is prepared to carry out a gap analysis in your company on the basis of the current draft of the new European Data Protection Regulation. This will identify any shortcomings in complying with the European Data Protection Regulation and provide recommendations for a practical implementation of the obligations.
Please do not hesitate to contact us!
Your contact at Arqum: Thomas Nienhaus