4 years of the General Data Protection Regulation. Since then, the GDPR has become a top priority for companies. From international corporations to small regional businesses; GDPR concepts must be carefully created and measures must be fully documented. This is because breaches, data protection violations or failure to comply with information obligations can result in high fines. This is precisely why efficient and secure data protection processes are essential.
Read this article to find out how to document GDPR measures in a compliant and timely manner.
On May 25, 2018, the time had come and the General Data Protection Regulation (GDPR) came into force. Its introduction has changed a lot in both professional and private life. The aim of the GDPR is to give all citizens of the European Union more control over their own personal data. Among other things, the GDPR ensures that data subjects have the right to erasure or the right to request a copy of their data.
Expensive fines: Companies have to dig deep into their pockets if their documentation is inaccurate.
Violations of data subjects’ rights, data breaches and inaccurate documentation can be very costly for companies. The top sectors for data protection breaches are industry & trade, followed by telecommunications and the public sector.
In 2021, there was a sharp increase in fines for data protection violations. The 7-fold increase in cases compared to the previous year shows that improper documentation is punished accordingly (source: computerwelt.at).
For example, extremely high penalties can be imposed for violations of data subjects’ rights. The maximum penalty here is up to € 20 million or 4 % of annual global turnover. The penalties can also be very high for processing data protection violations: Here it can be up to € 10 million or 2% of annual global turnover.
The most frequent penalties that have been imposed since then can be seen in the following table:
- Insufficient legal basis for data processing
- Non-compliance with the general principles of data processing
- Insufficient technical and organizational measures to ensure information security
- Insufficient protection of the rights of data subjects
- Insufficient fulfillment of information obligations
- Insufficient cooperation with the supervisory authority
- Insufficient fulfillment of reporting obligations in the event of data breaches
- Insufficient involvement of the data protection officer
- Insufficient agreement on data processing
Many well-known companies have also been targeted by the data protection authority in recent years. These include:
- Delivery Hero Germany GmbH, which owns Lieferheld, Pizza.de and Foodora, had to pay a fine of more than 190 thousand euros in 2019. The reasons include the fact that several people did not receive information about their personal data. Others, however, received unsolicited advertising emails, etc. The violations occurred repeatedly – the responsible data protection officer therefore suspects a structural organizational problem. (Source: ihrdatenschutzbeauftragter.de).
- The tech company Facebook (or Meta) has recently made headlines for its non-compliance with the GDPR. This is because Facebook collects data without knowing in advance for what purposes. However, according to the GDPR, companies must specify the purposes for which the data is collected (source: vice.com).
Facebook has also had to pay fines for several other violations. In 2019, for example, Facebook paid €51,000 because it had failed to notify the change of data protection officer (source: ihrdatenschutzbeauftragter.de).
- The British airline British Airways had to pay a fine of 20 million British pounds for a data protection breach in 2020. The breaches involved the processing of masses of personal data without adequate security measures (source: dsgvo-portal.de, heise.de).
4 tips for documenting GDPR measures efficiently and cleanly
- Check technical and organizational measures on an ongoing basis: The legislator stipulates that measures must be taken to protect personal data. These measures are divided into technical and organizational measures, which should be documented and filed centrally. It is also advisable to regularly check the effectiveness of these measures due to the implementation of new technologies. Digital logging of the results can save you a great deal of work.
- Manage all processors centrally: Data processing agreements must be signed with all service providers who process personal data for you. In addition to the service provider’s general information, these contracts must also specify the purpose and organizational and technical measures for protecting the data. It is advisable to use a digital tool to record and check various data, such as validity periods and measures, in order to ensure that it is up-to-date and to be able to call up the status quo at any time.
- Standardize your processes: Create uniform processes to be able to respond to data protection requests such as data subject rights or data breaches in a standardized, compliant and timely manner. This also allows you to ensure that all responsible employees comply with the duty to inform.
- Visualize your precautions for external stakeholders and authorities: During reviews or audits, all processes and created concepts should be clearly prepared and quickly available. A digital solution that allows you to create and manage all documentation and logs seamlessly and export reports automatically can also be useful here.
Use cases where documentation software is worthwhile.
Software for the ongoing documentation and review of all GDPR measures saves you a lot of administrative work. In addition, all data is available in real time. To better illustrate this, we present three specific use cases:
Data breach reports (data protection violations)
Whether it’s a lost cell phone or an incorrect e-mail recipient, data loss must be documented and reported in a timely and complete manner.
With a structured and standardized process, this can be worked through step by step.
AVV administration
With a software solution, all contracts, the management of all validities and the structured and traceable processing of technical organizational measures (TOMs) can be processed in a standardized manner.
And everything to do with AVV is neatly documented.
Inquiries from affected parties
A software solution can help you respond to GDPR requests in a timely and compliant manner.
With just one click, you have a complete, standardized answer to your query at hand.
Conclusion.
Companies can now use the fourth anniversary of the GDPR as an impetus to improve their GDPR measures and processes!
Incidents happen again and again. This makes compliant, process-driven documentation and reporting all the more important. Software for documenting GDPR measures has many advantages and can help to better fulfill the GDPR obligations in the company.
