In force since May 2016, in implementation since May 2018 - the EU General Data Protection Regulation (GDPR) still leaves many companies wondering: Are we affected? And if so: How do we achieve legal certainty? And what can we do for data protection compliance?
Since May 2018, companies that handle personal data - and there are quite a few of them - have to be prepared to catch a pay a hefty fifine. The penalties for data breaches can be significant. And this is always the case if they do not fully comply with the requirements of the new GDPR. In addition, the new version of the German Federal Data Protection Act (BDSG) supplements and substantiates the GDPR. Here, however, uncertainty prevails everywhere:
- What is "personal data" anyway?
- Are we a "responsible entity" according to the GDPR?
- Who is a "data subject"?
- What exactly does "automated processing" of personal data mean?
- Do we have to appoint a data protection officer?
What measures must be implemented
The list of data protection compliance questions that need to be addressed is long.
It is true that the definition of terms used in the regulation can be found in FAQ lists. However, this does not necessarily guarantee clarity with regard to the concrete significance for the individual company. At the latest when the implementation and compliance of necessary (because required) measures and duties by the employees is pending, there must be the right answers to such questions, for example:
- What are "technical-organizational measures"?
- When are they necessary?
- What about "proportionality"?
- What about the many "controls" required by the GDPR, such as "access or disclosure controls"?
- How can data protection compliance be ensured?
Data protection vs. information security
In any case, the right step for an affected company is to set up an effective data protection management system - tailored to its individual needs, if necessary already with a view to accredited certification.
What is often confused here: Data protection and information security are two pairs of shoes, even if there are overlaps (for example, various control measures). For example, companies that have a fully comprehensive information security management system (ISMS) in accordance with ISO 27001 cover the topic of data protection to a certain extent.
But even here, there remains a delta that can be uncovered and closed with or without an ISMS using a gap analysis.
"The fundamental difference between the two topics: Information security protects a company's data from misuse by third parties; data protection aims to protect personal data."
In August 2019, with ISO 27701 a new standard was published that formulates requirements for data protection in information security management. ISO 27701 thus specifies a data protection management system based on ISO 27001, ISO 27002 (guidance for information security measures) and ISO 29100 (framework for data protection). ISO 27701 is a supplement to ISO 27001. Certification according to the new standard alone is not possible.
Data protection compliance - benefits
- Reliable information about areas for action
- Knowledge about hidden potential
- More security of action and legal certainty in handling data after implementing appropriate measures
On the safe side - with a data protection audit by DQS
Companies striving for compliance in data protection should therefore do two things: familiarize themselves or their compliance officers with the topic as quickly as possible and have the status quo determined by an independent body such as DQS in the form of a gap analysis.
The focus of such a data protection audit is a self-assessment with document review. The company is then checked on site to determine whether it complies with the essential data protection aspects. A report shows whether there is a need for action and, if so, what action is required.
DQS Gap Analysis Data Protection
How much work do you need to do for a GAP analysis? Find out free of charge and without obligation.