The European General Data Protection Regulation (GDPR) came into force on 25 May 2018.
Since 25.05.2018, every company, including small craft businesses, kindergartens, associations or freelancers, must generally provide a data protection management system that complies with the law.
This is to be distinguished from the appointment of a data protection officer: in most cases, this is only required for 20 or more employees. The data protection officer must be registered with the supervisory authority. If this has not yet been done for your company, in some federal states this already constitutes an offence punishable by a fine.
The following scenario may occur as early as tomorrow:
Scenario 1:
A customer reports to the competent supervisory authority
Regardless of whether the complaint is justified or not, the supervisory authority is now very likely to examine not only the reported incident, but the entire data protection concept!
Consequence:
Ifyou do not have a data protection concept, or if it does not comply with the new legal requirements, a fine will be imposed.
In contrast to the previous legal situation, it is no longer at the discretion of the supervisory authorities whether a violation is punished. Data protection violations must be punished in the future.
Only the amount of the fine to be imposed can still be decided. The standard fine is capped at 20 million euros or 4% of last year's turnover. According to information from the supervisory authorities in Germany, the average fineis currently 10,000 to 15,000 euros.
Scenario 2:
A competitor notices that the data protection notice on your website does not comply with the legal requirements, goes to a lawyer and sends you a warning.
Consequence:
You can either submit the required cease-and-desist declaration (which we do not recommend without reservation) and pay the lawyer's fees, or you may be threatened with court proceedings , which you will almost certainly lose.
Either they set up a data protection management system, which means among other things
Or you can commission a specialist with
of companies do not yet have a legally compliant data protection agency.
True! Only from 20 employees who work with personal data (e.g. use Outlook) must an internal or external data protection officer be appointed.
But this is where the problems begin in practice:
Whether you have to appoint a data protection officer or not, this has nothing to do with the obligation to set up a data protection management!
As a managing director, you must take on all tasks yourself if you do not appoint a data protection officer. Without this, however, the many legal requirements are practically impossible to fulfil.
And here it is the same as with the tax advisor:
Of course, you could prepare your company's tax return yourself after a long training period. But you don't. After all, you have a business to run and that is challenging enough.
You see: It makes sense to hand over data protection obligations to a professional. Because that saves you money and time.
The IT expert takes care of the security of the IT. The data protection officer takes care of the security of customer data.
Both topics are closely linked, but an IT security concept alone cannot guarantee sufficient data protection.
Due to the increased requirements for data protection, the supervisory authorities will take a much more restrictive approach in the future and carry out more checks.
In addition, your customers have become much more aware of the issue than in the past due to a variety of reports in the press. Only one dissatisfied customer can subsequently trigger a high fine:
Do you issue invoices in the name of your customers? Then you already fall under the scope of application of the GDPR. Have you informed each customer of their rights in accordance with Art. 12 ff of the GDPR since 25.05.2018? If not, each of your customers can file a complaint with the supervisory authority!
This applies regardless of whether more or less than 20 employees handle personal data.