The new, harmonised EU General Data Protection Regulation entered into force on 24 May 2016 and must be applied from 24 May 2018 without any further transitional period. All companies operating in the EU, regardless of their place of business, are already subject to the legislation. Legal enforcement in Switzerland is already in progress. For us, this is a reason to examine the basic data protection regulation in more detail in a series of articles.
Key elements for implementation at company level
There are three main measures to be implemented at company level.
With very few exceptions, a data protection officer must be appointed. The data protection officer has the task of informing and advising those responsible, employees and any contract processors about their data protection obligations. They must monitor compliance with the requirements and the implementation of relevant measures. A DPO also serves as a contact person and coordinator for all inquiries and information flows relating to data protection. The demands placed on the DPO are very high, as they should have comprehensive specialist knowledge in the field of data protection. Especially if a company decides on an internal solution. There are considerable risks of liability and fines in the event of improper implementation and so this could prove to be an obstacle without accompanying measures.
- Furthermore, a systematic risk analysis is required. Most companies will already have a documented risk analysis, especially if their processes are ISO 9001 certified. In order to meet the special requirements of data protection, however, it is also advisable to include persons to which data are processed as independent asset in the risk analysis. This ensures that specific risks, hat might have little impact on the company itself, are also taken into account and appropriately assessed. On the other hand, it makes sense to document records relating to the various considerations that contribute to a particular rating of a privacy-related risk to make this easy to understand in terms of the required controllability. Subsequently, appropriate measures to reduce the risks must be defined and implemented.
- There is an obligation to maintain a record of processing operations. It must document which data processing operations exist – exclusively with regard to data relating to natural persons. This is a structured directory which documents the processing, its purpose, the persons and data concerned, the recipients of data and deadlines for deletion. This measure is comparatively simple to implement – albeit not necessarily with little effort – since a corresponding template can be prepared and completed.
Processing specific key elements
Once the company-wide foundations have been laid, we can look at the individual processing steps. Four central measures must be observed:
- If personal data are processed: to carry out a so-called data protection impact assessment ahead of commissioning a processing. In principle, the data protection impact assessment is nothing more than a more detailed risk analysis related to this particular processing. There are various requirements to be taken into account for this. As with a company-wide risk analysis, it is advisable to keep a record of cost/benefit considerations relating to measures that have not been implemented. For example, it can be shown that certain measures have been discussed and the reasons why they have been classified as not suitable or disproportionate.
- A suitable security concept must be drawn up. This must integrate the measures deemed necessary according to the data protection impact assessment. The security concept can, of course, be based on any existing superordinate concepts. It describes the technical and organisational measures for the protection of applications and data. The important implementation principles, such as privacy by default, must also be taken into account here.
- In most cases in sectors other than public administration, we can assume that the processing of personal data happens with the explicit consent of the persons concerned. Accordingly, consent management must be established. In addition to the particularly important consent itself, the various information and disclosure obligations as well as the rights of the data subject to opposition, correction and deletion can also be integrated into this process. Incidentally, consent may be obtained purely electronically, whereby a double opt-in procedure and some logging requirements should be implemented.
- Data protection-compliant agreements must be concluded with suppliers/order processors. It is important to note that the client cannot transfer the responsibility for data protection to the order processor. In any case, he remains responsible for the processing of personal data. The client must ensure by means of appropriate contractual clauses that the processor does not carry out any processing in third countries without an adequate level of protection himself or via subcontractors. Furthermore, the contract must specify the technical and organisational measures to be implemented by the processor and take precautions to enable the data subjects to enforce their rights, such as the right to deletion.
This brings our five-part article series to an end. We hope that we could give you an overview and that some of this information will help you in the legally compliant implementation of digitisation and IT projects.
In a few weeks’, the new rules will apply in the EU. At the same time, the total revision of the Data Protection Act is also underway in Switzerland. Even though some questions have not yet been decided, it can be reliably predicted that in a few months Switzerland will also adopt comparable rules in order not to lose the current equivalence of Switzerland with regard to data protection, as confirmed by the EU Commission. This means that companies that are purely focused on the internal market will soon also be able to benefit from these compliance requirements.
Our series of articles on the subject
- In the lead-in article, we drew attention to the need for action.
- In the first part of the series, we introduce the various actors and set the framework.
- In Part 2, we examined the principles of data protection based on four pillars.
- Part 3 explains the special requirements for the processing of special categories of personal data and profiling, which is regarded as particularly critical.
- In Part 4, we highlight legally privileged, desired processing methods.
- This last part of the series concludes with a framework for the pragmatic and appropriate implementation of data protection in your IT projects.
About the author
Stefan Haller is an IT expert specializing in risk management, information security and data protection at linkyard. He supports companies and authorities with risk analysis in projects, the conception and implementation of compliance requirements in software solutions as well as with the creation of IT security and authorization concepts. He holds a certification in Risk Management and has carried out numerous security audits on the basis of the ISO 27001 standard as an internal auditor for more than 10 years.
Do you have any questions about implementation in your company? firstname.lastname@example.org | +41 78 746 51 16