The European General Data Protection Regulation (GDPR)

The European General Data Protection Regulation (GDPR)

Technical articles | 9. November 2017 | 3 min |

Many people are discussing it and see its implementation as a major challenge: the European General Data Protection Regulation. It took the EU several years to draw up the regulation. As far-reaching sanctions have also been provided for, it is important for companies to familiarize themselves with the various articles and implement appropriate measures.

On May 25, 2018, the 2-year transition period for the General Data Protection Regulation (GDPR), which has already come into force, ends. This means that there is no further tolerance period for organizations and the requirements that the regulation entails must be met in full from this date.

This affects all companies and authorities that work with personal data, regardless of industry and company size. This data includes customer data, for example, but also personal data and IP addresses.

The GDPR addresses the protection goals of confidentiality, integrity and availability of data. According to the regulation, the resilience of IT systems and services should also be ensured. Compliance with these objectives requires encryption procedures, access controls and methods to ensure data integrity. Experts are recommended for the implementation of protective measures. With encryption products and two-factor authentication, among other things, the be-solutions team helps companies to optimally prepare for the GDPR.

Some articles in the new regulation are similar to the German Federal Data Protection Act, but it still includes many new requirements for companies across Europe. Here is an overview of the most important changes:

Duty to provide information
When processing personal data, companies must provide data subjects with information about the duration and type of storage. Among other things, they are obliged to provide information on the legal basis for data processing or when data is passed on to contract data processors.

Reporting and notification obligation
If a data breach occurs in a company, the regulation stipulates that this incident must be reported to the supervisory authority. The notification should be comprehensive and made within 72 hours. The data subjects must also be informed of the data breach.

Right to be forgotten
The “right to be forgotten” gives people a right to erasure. This means that they can have their data deleted by a data controller. Once a request for erasure has been received, the company must erase the data of the data subject without delay. If the data has been passed on to third parties, the data subject’s deletion instruction must be forwarded.

Data protection officer
Every organization in which at least 10 people are permanently involved in the processing of personal data is obliged to appoint a data protection officer. You can choose between an internal or external appointment. In the case of an internal data protection officer, it is important that there is no conflict of interest in their areas of responsibility.

Fines
The changes should be implemented in companies within a few months, otherwise there is a risk of fines of up to 20 million euros or four percent of annual global turnover. What’s more, liability can no longer be delegated. This means that the responsibility lies with the management and not with the data protection officer.

About us

We are a powerhouse of IT specialists and support customers with digitalization. Our experts optimize modern workplace, DevOps, security, big data management and cloud solutions as well as end user support. We focus on long-term collaboration and promote the personal development of our employees. Together, we are building a future-proof powerhouse and supporting customers on their path to successful digitalization.

Contact

Do you have a request? Please contact us!

Do you have a request? Please contact us!

As your companion and powerhouse in the IT sector, we offer flexible and high-performance solutions.