GDPR simply explained: Data privacy, cybersecurity and obligations for companies
GDPR: Simply explained
The General Data Protection Regulation, which has been in force since May 25, 2018, has led to a fundamental change in the handling of personal data for companies and consumers. The GDPR not only entails high fines for violations but also opens new opportunities for the data protection-friendly and responsible handling of data.
In an increasingly data-driven economy, the GDPR symbolizes the balancing act between innovation and privacy and has formed the basis for further regulations, which are now largely reflected in the European data strategy and pave the way for technological innovations such as artificial intelligence.
Background and origin
The GDPR is the contemporary new edition of the EU Data Protection Directive, originally published in 1995, which dates back to the early days of the internet and whose content could no longer keep pace with the rapid technical and economic developments. The new edition of the EU data protection requirements is the result of the EU’s high demands to regulate globally active companies and at the same time strengthen the rights of consumers. The revision of the European data protection law began in 2011 with the first statement by the European Data Protection Supervisor on the EU Commission’s revision approaches. The entry into force of the regulation on May 24, 2016, and its application from May 25, 2018, were important milestones for the EU on the path to the digital future.
Fundamental principles and scope of the GDPR
The GDPR is made up of central principles in the area of personal data processing, including the lawfulness of processing, fair processing, data minimization and transparency during data processing. Here, the EU once again underlines its approach of regulating in a consumer-friendly manner. Accordingly, data may only be collected and processed for a specific purpose. Data subjects must be granted full transparency, which means that they must be informed about any data processing by the processor.
The scope of the GDPR extends to all companies and organizations that process the personal data of EU citizens. This includes not only institutions based in the EU, but also providers of services and products within the EU. The EU has left the member states the option of implementing further data protection regulations within the framework of national laws. This has resulted in the Data Protection Act (“Datenschutzgesetz”, DSG) in Austria and the Federal Data Protection Act (“Bundesdatenschutzgesetz”, BDSG) in Germany.
Rights of individuals under the GDPR
Those affected by data processing are granted extensive rights that allow them to retain “control” over the processed data and create transparency. In principle, every data subject has the right to obtain information about processed data (Art. 15 GDPR) and the extent to which it is stored and used. Data subjects also have a right to data portability (Art. 20 GDPR) and can have personal data handed over to them in a structured, commonly used and machine-readable format, for example in order to change providers, where they must not be hindered by the original processor. As a result, data subjects can exercise the right to rectification and erasure and have incorrect data corrected (Art. 16 GDPR) or have data erased completely. The latter is reflected in the right to be forgotten (Art. 17 GDPR). Finally, data subjects can generally object to the processing of personal data as part of their right to object (Art. 21 GDPR) or exercise their right to restrict processing (Art. 18 GDPR), which restricts the use of data.
Why is the GDPR important?
The GDPR creates the legal framework for the protection of privacy and the responsible handling of data. The GDPR therefore plays a crucial role in an increasingly data-driven world.
Protection of personal data
Data is nothing more than a resource that should be used sustainably and according to fixed rules. The misuse of data is a serious intrusion into the privacy and security of those affected. The GDPR therefore ensures the most efficient possible use of the resource “personal data” by companies while at the same time safeguarding the rights of data subjects.
Companies must implement technical and organizational measures, for example to protect data from unauthorized changes, misuse, and loss on a risk basis. Misuse also includes the processing and storage of data after the retention period has expired.
Obligations and duties for companies
The GDPR imposes extensive obligations on companies. Companies must be able to account for the implementation of these obligations to the data subjects, i.e. be able to provide information on the implementation of the requirements. Implementation must be documented in a record of processing activities. In the case of high-risk processing activities, including special categories of data in accordance with Art. 9 GDPR, a data protection impact assessment (DPIA) must be prepared, which assesses the rights of data subjects in the context of the processes and technologies and evaluates risks such as a possible violation of a data subject’s right.
Obligations and duties also arise at a personnel level. In accordance with Art. 37 GDPR, companies are obliged to appoint a data protection officer and to notify the competent supervisory or data protection authority if, for example, the core activity involves the processing of special categories of data. Data protection incidents must also be reported to authorities via the data protection officer if there is a risk to the rights and freedoms of those affected by data processing.
Companies are also subject to obligations when it comes to data processing itself. In corporate groups, for example, it must be ensured that data traffic with subsidiaries is GDPR-compliant and transparent. The outsourcing of data processing to external parties requires a data processing agreement, which should include the responsibilities, rights and obligations of the processor and the controller as well as the technical and organizational measures. This ensures that the rights of data subjects are also respected when data processing is outsourced.
Consequences of violations of the GDPR
Data subjects who believe their rights have been violated can lodge a complaint with the supervisory authorities. If the data subject is proven right, this can lead to claims for damages on the one hand, but also to fines from the authorities on the other. These fines can amount to up to 20 million euros or 4% of total annual global turnover.
In addition, breaches of the GDPR can cause reputational damage, which in the first instance can damage a company’s image and in the second instance may result in a loss of revenue.
Furthermore, the data protection authorities of the EU member states can impose further sanctions on companies in accordance with Art. 84 GDPR, ranging from special requirements regarding data processing to site closures in the event of serious violations. In general, the principle of proportionality and the choice of the mildest means applies here.
The role of cybersecurity in the GDPR
Are there any parallels with requirements from other areas of information and cyber security that could help companies to implement the GDPR requirements in practice? Although the GDPR relates exclusively to personal data, there are actually many synergies with the Information Security Management System (ISMS). The International Organization for Standardization (ISO) has also issued several data protection extensions to the ISMS:
- ISO/IEC 27701 extends the management system
- ISO/IEC 27018 defines data protection measures for processing in clouds such as Amazon Web Services (AWS), Google Cloud and Microsoft Azure
- ISO/IEC 29134 describes a standard procedure for data protection impact assessments
- ISO/IEC 29151 extends the measures of ISO/IEC 27002 with specific data protection measures
Data protection and data security
One example of the interplay between ISMS and data protection is the strong overlap of technical and organizational measures (TOMs) to ensure data security. Art. 32 GDPR stipulates that companies and organizations must take appropriate TOMs to ensure an adequate level of protection for personal data. The GDPR mentions specific measures such as the pseudonymization of personal data as well as ensuring the protection objectives of information security (confidentiality, integrity, availability) as exemplary TOMs. In particular, the TOMs are intended to ensure that companies comply with the two data protection principles “data protection by design” and “data protection by default” and reduce the risk of damage.
One example of the implementation of these data protection principles is the implementation of a deletion concept in IT systems. The automatic deletion of personal data after a predefined period of time supports employees in processing data in compliance with data protection regulations and promotes data minimization. An essential prerequisite for a successful automated deletion concept is the correct classification of documents, which should be carried out consistently throughout the company.
Impact of the GDPR on cybersecurity
For companies, this means taking the data protection perspective into account in systems and processes from the outset and implementing appropriate measures. In order to identify the appropriate measures and demonstrate their sustainable effectiveness, a risk assessment is required, which must be updated regularly. This risk assessment in connection with personal data is called a data protection impact assessment. According to Article 35 GDPR, it is mandatory for e.g. profiling activities and processing of special categories of personal data (health data, data on religious beliefs, etc.). In addition, Austria has both a regulation on processing operations for which a data protection impact assessment must be carried out (Federal Law Gazette 2018 Part 2: 278th Regulation) and a regulation on exemptions from the data protection impact assessment (Federal Law Gazette 2018 Part 2: 108th Regulation).
Through the additional risk assessments from a data protection perspective, the company’s cyber security is examined from a broader perspective and improved with the resulting measures.
Challenges and best practices
There are numerous best practices for overcoming the challenges of implementing the GDPR requirements.
Challenges during implementation
The biggest challenge in connection with data protection is staying up to date. Although the GDPR has had to be applied for several years now, there are always additional regulations, court rulings and decisions by data protection authorities that affect practical implementation. In addition, technological progress, particularly developments in the field of artificial intelligence (AI), has a major impact on the implementation of data protection in companies. A major challenge here is not only to implement all current requirements, but also to find a balance between data protection and user-friendliness so that employees understand data protection but are not overwhelmed. EFS Consulting supports this with extensive project experience in the further development of best practices and individualized solutions.
Best practices for companies to comply with the GDPR
Data protection guidelines and regular data protection training are useful methods for creating awareness among employees. Larger organizations can also develop their own intranet pages with tailored content, e.g. in the form of FAQs, videos, or consultation appointments. Special training for the data protection-compliant use of artificial intelligence is particularly recommended when using AI systems in the organization.
In order to check the effectiveness of employee awareness training and to keep the risk assessment up to date, regular reviews of the implementation of the GDPR in the company are essential. This can take the form of spot checks at the workplace, reviews of existing processes and data protection documents, as well as checks to ensure that system settings in the IT infrastructure are up to date.
The above-mentioned awareness measures and checks are ideally carried out by the data protection coordinator / data protection team with the support of the data protection officer if necessary. EFS Consulting offers support in the form of awareness campaigns and training, reviewing, or creating new data protection documents, setting up a Privacy Information Management System (PIMS), carrying out data protection audits and appointing an external data protection officer.
Conclusion and outlook
The requirements and challenges in the area of data protection and cybersecurity are relevant for all companies and organizations. The value of the data economy in the 27 EU member states alone is estimated to rise from EUR 301 billion in 2018 to EUR 829 billion in 2025. Accordingly, companies must keep a close eye on legislation, especially at European level, and integrate applicable regulations and nationally implemented directives into their working practices. The EU will continue to develop its data strategy in the coming years, which has already resulted in AI and data regulations (AI Act, Data Act), among others. The ePrivacy Regulation, which is currently being revised, will also expand data protection from the perspective of electronic communication at European level and complements the GDPR in many respects.
The certification of implemented data protection requirements is also evolving. For companies with an established information security management system (ISMS) in accordance with ISO/IEC 27001, for example, the extension of the ISMS to include ISO/IEC 27701 could be an option here, which expands the existing ISMS in the handling of personal data in a targeted manner and supports compliance with the requirements of the GDPR. In Austria, certification of controllers (Art. 4, no. 7 GDPR) by an accredited certification body is also possible (Art. 43 GDPR, § 3 ZeStAkk-V).
In summary, the areas of data protection and cybersecurity can be summarized with the quote “Nothing is as constant as change.” (Heraclitus of Ephesus, 535-475 BC), as technology and law are constantly changing and the only constant is change, which companies must comply with in order to remain innovative and legally compliant.