The European General Data Protection Regulation (GDPR) came into force on May 25, 2018.
Since 25.05.2018, every company, including small craft businesses, kindergartens, associations or freelancers, must generally provide a legally compliant data protection management system.
This must be distinguished from the appointment of a data protection officer: in most cases, this is only required for companies with 20 or more employees. The data protection officer must be registered with the supervisory authority. If this has not yet been done for your company, in some federal states this is already an offense that can result in a fine.
The following scenario could occur as early as tomorrow:
Scenario 1:
A customer reports to the competent supervisory authority
Regardless of whether the complaint is justified or not, the supervisory authority is now very likely to examine not only the reported incident, but also the entire data protection concept!
Consequence:
If you do not have a data protection concept, or if it does not comply with the new legal requirements, a fine will be imposed.
In contrast to the previous legal situation, it is no longer at the discretion of the supervisory authorities whether a breach is punished. Data protection violations must be punished in future.
Only the amount of the fine to be imposed can still be decided. The standard fine is capped at EUR 20 million or 4% of last year's turnover. According to the supervisory authorities in Germany, the average fine is currently between 10,000 and 15,000 euros.
Â
Scenario 2:
A competitor notices that the data protection notice on your website does not meet the legal requirements, goes to a lawyer and sends you a warning letter.
Consequence:
You can either submit the requested cease-and-desist declaration (which we do not recommend without reservation) and pay the lawyer's fees or face legal proceedings which you will almost certainly lose.
Â
Â
Either they set up a data protection management system, which means, among other things
Or you can commission a specialist with
of companies do not yet have a compliant data protection manager
That's right! An internal or external data protection officer only needs to be appointed if there are 20 or more employees who work with personal data (e.g. use Outlook).
But this is where the problems begin in practice:
Regardless of whether you have to appoint a data protection officer or not, this has nothing to do with the obligation to set up a data protection management system!
As a managing director, you must take on all tasks yourself if you do not appoint a data protection officer. Without one, however, it is practically impossible to comply with the various legal requirements.
And here it is the same as with the tax consultant:
Of course, you could prepare your company's tax return yourself after a long training period. But don't do it. After all, you have a company to run and that is challenging enough.
As you can see: It makes sense to hand over your data protection obligations to a specialist. Because it saves you time and money.
The IT expert takes care of IT security. The data protection officer looks after the security of customer data.
Although both topics are closely linked, an IT security concept alone cannot guarantee sufficient data protection.
Due to the increased data protection requirements, the supervisory authorities will take a much more restrictive approach in future and carry out more checks.
In addition, your customers have become much more aware of the issue than was the case in the past due to a variety of reports in the press. Just one dissatisfied customer can result in a large fine:
Â
Do you issue invoices in the name of your customers? Then you already fall under the scope of the GDPR. Have you informed every customer of their rights since 25.05.2018 in accordance with Art. 12 ff GDPR? If not, any of your customers can lodge a complaint with the supervisory authority!
This applies regardless of whether more or fewer than 20 employees handle personal data.
