International Business Articles
By Per Kristian Stöcker, Esq.
WINHELLER Attorneys at Law & Tax Advisors
For several weeks, companies have been obliged to apply the European General Data Protection Regulation (GDPR). The two-year transitional period is definitely over. The core of the new legislation is – as is generally known – the transparency in data processing. In view of this aim, companies have to furnish proof of compliance with the legal requirements. It is therefore indispensable to implement and document a so-called data protection concept.
Identify Your Weaknesses and Profit Not Only in Terms of Data Protection
Many companies in Germany and Europe have invested a lot of time and money in creating a data protection concept in line with the new statutory regulations. Our experience shows that in most companies this transformation is far from being completed.
Entrepreneurs often wish to know how much detail is required in their data protection concept and how likely it is that the competent supervisory authority will actually inspect the concept. Notwithstanding these questions, we would like to make you aware of the many advantages that may result from a new evaluation of the data protection organization within your company. These advantages go well beyond the mere protection of personal data.
For many companies, the most important argument certainly is that they want to avoid the liability risk. Compared to the old Federal Data Protection Act, the liability limit has been increased from EUR 300,000 to EUR 20,000,000 or 4% of the annual turnover of a group of companies. In addition, the supervisory authorities may also conduct controls and order the shutdown of IT systems required for business operations whenever infringements come to their attention.
Competitors and certain attorneys, who are infamous for specializing in non-compliance warnings, may additionally cause trouble because breaches of data protection, which are considered as violations of market conduct rules, may entail costly warnings.
As data protection is very popular, customers and business partners but also potential candidates and employees are very sensitive to the topic. If your company and your products and services are on the safe side in terms of privacy protection, you can advertise this fact – for orders, candidates but also for your customers’ or employees’ confidence.
Data protection is an intersection of legal, organizational and, last but not least, technical implementations. The technical protection of personal data – the guarantee of “security in processing” – requires IT security measures including erasure, authorization and data separation concepts. These measures benefit your IT infrastructure and protect your company from data losses and infiltration of your IT systems.
Protection of Know-How and Trade Secrets
These technical and organizational measures will, at best, not only protect personal data. Because an effective security concept can be extended to any other information you consider as worthy of protection. This may be sensitive economic data but also intellectual property, property rights, or ideas. The European Know-How Directive, which will also have to be transposed into national law by mid-2018, requires technical and organizational measures to protect information – the parallels to data protection are obvious.
A company will generally profit from a weakness analysis in respect of data protection, as today privacy is a matter of concern to any business department. By taking a look behind the scenes of each department, you will see the processes, workflows, and (infra-)structure of your company in a new light. In this way, the organization and responsibilities may be structured more efficiently.
Focus on Your Core Business
And last but not least: Once your data protection concept has been implemented successfully, your company will return to calm after a lively debate on the GDPR. And calm will be needed to enable your company to focus on your priorities: your core business.
WINHELLER will be pleased to help you find and implement the suitable data protection concept for your company.