The EU General Data Protection Regulation (EU GDPR) continues to be a major challenge for many companies. One glance at the press and the penalties being imposed confirms this. Where should companies start if they are to comply with the EU GDPR and avoid penalties? This was the topic of discussion between SER’s ECM Evangelist Stephan Kizina and Management Consultant Holger Klindtworth from Ebner Stolz.

Kizina: 2019 appears to be the year of EU GDPR inspections. Authorities are no longer being lenient. In Ireland, where many large US corporations have their European headquarters, 51 investigations were initiated. In Germany, 1&1 is being asked to pay around 10 million euros. In France, Google is to pay a fine of 50 million euros. Have the battle lines now been drawn?

Klindtworth: I think so, yes. Admittedly not in the sense that systematic checks are now being carried out like in a speed trap campaign. There are certainly not enough people available for this. However, the more companies are in the public eye, the greater the danger that they will end up in the spotlight. This doesn’t just apply to large corporations either.

Kizina: The real question is why are so many companies still lagging behind when it comes to data protection?

Klindtworth: The answer is simple: There’s no money in it. Data protection is an additional regulatory requirement that does not generate revenue. Another reason is simply ignorance. There is a lack of knowledge in interpreting the law, not to mention the added complexity of the wide range of IT landscapes, which make data protection more difficult, and then there’s the growing trend towards outsourcing. Responsibility for data protection can only be shared to a very limited extent. At the end of the day, the responsibility lies with me, not with my service provider. These factors make it difficult for any company to achieve compliance.

Kizina: While this situation could be resolved by a data protection officer, not all companies have one. Presumably, it’s difficult to find suitable people nowadays. Do I need to minimize my criteria for appointing a data protection officer?

Klindtworth: Please don’t! It is better to search a little longer than to reduce your expectations of the data protection officer. Professional expertise should be a top priority and candidates should be suitably qualified for the job. I think this is absolutely vital. How else do you intend to protect sensitive data?

Kizina: Is sensitive data a special category when it comes to personal data?

Klindtworth: Some data is riskier than other data, such as data relating to children or health, political or religious issues. It is incredibly important to keep reminding yourself that I, as a company, also have the right to process this data for specific purposes. However, I must always bear in mind the risks involved for individuals in processing this data: What would it mean for a person if this data were disclosed or lost? Sometimes it makes perfect sense not to process data because its usefulness is no longer proportionate to the gain because of the compliance measures to be taken.

Kizina: The EU GDPR actually applies to companies with regard to the data of private individuals. However, there was a report of a fine against the former regional leader of the Young Socialists , a branch of the German social democratic party ("Jusos"), who passed on the list of delegates for a party conference internally. Where does strictly private data processing stop and where does public or commercial data processing start?

Klindtworth: There is always a multi-dimensional view of a person: I am, on the one hand, a private person with my private sphere. In this case, I can send emails to my friends. However, as soon as I find myself in a public sphere and send information to many different people, including strangers, I enter into a gray area, where fines also come into the equation.

Kizina: Talking about gray areas, let’s suppose that I, as an EU company, store data in a cloud that is operated in India. In this case, I am definitely in an area excluded by the EU GDPR. I can basically forget about storing data here.

Klindtworth: It is extremely difficult to prove that the data center in Bangalore has no access to the data and that the data is encrypted properly. In cases of doubt, it is also a burden of proof, which is very difficult or impossible to prove. It is therefore better to use a cloud in Europe. Many software vendors design their infrastructures accordingly.

Kizina: Apart from cloud providers, there are other service providers or business partners that also use my personal data. This would have to be checked in a structured manner and documented on a regular basis.

Klindtworth: Yes, this is the first step taken by companies that take this matter seriously. They started, for example, by mapping the relationships with their suppliers and then stipulating them in a contract, which is something I can still support. This also applies to things you don’t even consider at first, such as printing Christmas cards, where the print shop receives the address data.

Such contractual regulations also affect the company’s own employees. What I keep finding in my role as auditor is that digital solutions in particular have huge advantages when it comes to proving compliance with the EU GDPR. If your employees store hard copies of signed data protection declarations, it becomes extremely difficult for an external auditor to follow the paper trail. If you want to comply with your obligations regarding documentation, you should store these documents digitally. In doing so, you can prove directly that the employee has signed the declaration. Implementing data protection manually and on paper, or other regulations that must be implemented, can only be done with a considerable amount of documentation and procedural effort. Digitally, this is much more efficient. At the end of the day, you have to take the pragmatic approach, which not only meets the regulatory requirements, but is also economically feasible.

Kizina: Document and demonstrate everything easily and digitally. That sounds reasonable. In practice, however, it’ss not so easy for many companies because the IT landscapes in most companies have grown historically. Information is stored in any number of different applications. This heterogeneity makes it virtually impossible to comply with the EU GDPR. So what can companies do about this?

Klindtworth: To do this, I must first have an overview of what personal data exists in my company. The first step therefore is to identify and classify EU GDPR-relevant data. Only then can I implement technical and organizational measures for this. A protection concept such as this is not just relevant for data protection. Consider, for example, the law on the protection of trade secrets and other regulatory requirements. And remember to document everything properly! If there is any doubt, you must be able to demonstrate that you have set up and carried out certain controls: protective measures against data loss, manipulation, disclosure and so on. When auditors come, you must provide the documentation with the respective versioning to back it up. This is still a major handicap for many companies. But I see a great deal of potential here for economic reasons. 

Kizina: Software and digital processes can save a great deal of time and effort and help to avoid penalties. What should companies pay particular attention to when choosing which software to use?

Klindtworth: Old archives or DMS systems are not designed for the EU GDPR as they are focused on data storage. The architecture does not support deletion, which is of course unacceptable now. Your systems and processes must be able to delete data if the purpose no longer applies. The days of WORM storage are now numbered. Note, however, that if you migrate to a new system, you must of course first set the purpose limitation and expiration periods accordingly, otherwise you will have gained nothing.

Kizina: What should I do if I have to delete data for data protection reasons, but statutory retention periods still apply?

Klindtworth: You always process data with a specific purpose. If you are an online pharmacy and document proof of services rendered for tax purposes, then you process and archive data specifically for this tax purpose. This means that you must continue to store these invoices. This is not the case with the results of a laboratory test: this is especially critical data, which you must protect and, if necessary, delete. However, you must only delete data that is not relevant for tax purposes or that is necessary due to other regulatory requirements.

Kizina: Thank you very much! That certainly sheds light on the murky issue of data protection. I would like to finish with a somewhat delicate question: What should I do as a company if a fine of over five million euros suddenly lands in my mailbox? Rush to file for bankruptcy?

Klindtworth: If you have a suitable ECM system, controls, and documentation, you don’t have to roll over so quickly and declare “I’m to blame, it’s over.” You should, of course, seek legal advice. I also recommend drawing up a plan in advance on how you intend to handle the issue in corporate communications in such a case. Ultimately, however, many things can only be decided by the highest court. There is plenty of room for interpretation. To be on the safe side in the event of a legal dispute, one thing is important: you must be able to demonstrate that you’ve done everything possible to protect data.