The necessary EU data protection regulation, which will be applicable on 25 May 2018 after a 24-month transitional period, contains some innovations for companies about the handling of personal data. The most important thing you should know about this is explained in the following article. Personal data includes all information with which a natural person can be identified. This includes, for example, the name, the e-mail address or a photo. Particularly worthy of protection here are the ethnic origin, political views, religious affiliation, sexual orientation, and state of health. This information is, therefore, referred to as “sensitive data.”
Consent and rights of data subjects
Before a company can process a user’s personal information, it needs the user’s consent. For this to be legally valid, however, it must be given voluntarily and actively using the so-called opt-in procedure, for example by clicking on a corresponding checkbox. In the course of this, the operation is subject to the duty to inform, so that the person concerned must be informed of all his existing rights. These include the right of access, the right to rectification, the right to cancellation, the right to limitation of processing, the right to transfer data and, finally, the right to object.
For the collection of data for various purposes, a separate consent of the user is required in each case. Conversely, the user also has the option of objecting to any data processing separately.
The DSGVO – few topics unsettle companies of all sizes more than this topic does – with the right partners and the specific know-how DeSight Studio ensures that entrepreneurs can sleep again at night.
New obligations to provide evidence
The new accountability obligations prescribed by the GDPR are particularly crucial for companies. For example, companies must be able to prove compliance with data protection regulations at all times. For example, the data collected may only be stored for a specific time and processed exclusively for the initially intended purpose. The respective declarations of the consent of the users must also be disclosed to the responsible supervisory authority during a review. A data protection management system (DSMS) is usually required to provide detailed and understandable documentation of the processing procedures, as the measures to maintain security must always be adapted to the current state of the art.
Risk analysis with data protection impact assessment
In connection with data security, the GDPR also requires a regular risk assessment to detect possible data protection breakdowns at an early stage or at best to avoid them. If at least two hazards are identified, it is mandatory to prepare a data protection impact assessment (DSFA). This must specify the processing activity of the respective personal information and assess its necessity and appropriateness. Subsequently, it is necessary to describe the technical, organizational, and legal measures taken to counteract the specific risk or its probability of occurrence.