Stricter legal requirements ensure better data protection
The GDPR marked the arrival of data protection in everyday life. For most consumers, it has become routine to complete and sign privacy statements, for example when visiting a doctor’s office. This is all due to the GDPR, which is intended to ensure the protection of personal data within the EU and at the same time guarantee the free movement of data within the European single market. In 2018, this regulation replaced previously applicable data protection legislation, including the Federal Data Protection Act (“BDSG old”) in Germany.
The most significant change for businesses certainly is the increase in potential fines from up to 300,000 euros (BDSG old) to ten to twenty million euros or two to four percent of total annual turnover (GDPR). But there are also new provisions regarding the designation (formerly “appointment”) of data protection officers. In Germany, all businesses in which more than 20 employees are permanently involved in the automated processing of personal data must designate a data protection officer. Irrespective of this, a data protection officer may have to be designated if data is processed in a way that is relevant for a data protection impact assessment (Art. 35 GDPR) – or if data is transferred and processed commercially or for the purpose of market or opinion research.
Specialized expertise required
There is no denying it: In the “pre-GDPR world”, the position of data protection officer was often seen as an afterthought, an office someone would hold in addition to their regular job – comparable to that of “occupational safety officer” or “environmental officer”. Many businesses found it perfectly acceptable that their officers acquired the legally required expertise in a compact certification course as they simply trusted that no major mishaps would occur. Such an approach should no longer be pursued today because the job of data protection officer requires comprehensive and in-depth expertise of concepts such as cloud, big data and artificial intelligence. Without the necessary IT expertise, the risks of processing data can no longer be assessed properly. Risk assessment is a key topic covered in several sections of the GDPR, making it even more important that risk assessors have the necessary competence.
Data protection becomes ever more juridified
With over 70 opening clauses, regulatory mechanisms such as recitals to individual articles and a large number of undefined legal terms, the GDPR requires data protection officers to have much more in-depth legal knowledge than previously. At least, the topic now has also reached board rooms given the amount of potential penalties. Nevertheless, the description of the role in Article 39 GDPR clearly seems to lower the bar for the job: “inform and advise the controller” and “monitor compliance” reads a lot less ambitious than the familiar “work towards ensuring compliance with data protection legislation” (BDSG old).
of total annual turnover as potential fines
Companies that do not have the necessary in-house expertise and want to avoid paying hefty fines can avail themselves of the support of competent external service providers. Such an approach has several advantages: External data protection officers usually have a back office of computer scientists, information security specialists, business economists and fully qualified lawyers at their disposal, which puts them in a position to cover the full complexity and range of applicable data protection regulations. They also keep an eye on international developments. For example, the flow of data in a global, shared service IT structure or the introduction of cloud infrastructures are increasingly important topics – not just for mid-sized groups of companies.
It is also apparent that it will be more and more essential to understand the “peripheral areas” of data protection – other legislation, regulations and standards – and leverage synergies. For example, many industrial companies are required to operate an information security management system (“ISMS”) in accordance with ISO 27001 and have it audited on a regular basis. The resulting structure can be used as an excellent basis for a data protection management system via a scope extension in accordance with ISO 27701.
External data protection officers provide relief and add value for businesses
The current pandemic is just one example showing the added value that collaborating with external data protection officers can deliver for businesses. The external experts at TÜV Rheinland are in regular contact with all relevant data protection supervisory authorities and support their clients with recommendations for action and work aids. Current examples include information letters on the processing of health-related data, the establishment of privacy-compliant procedures for the use of rapid Covid tests in the company, the monitoring of infection incidence levels or the privacy-related monitoring of vaccination campaigns carried out by company doctors.
All things considered ...
… given the increased requirements on the expertise of data protection officers and risks of liability and fines, it may well make sense for companies to outsource the task. Collaboration with external data protection officers can improve quality and cost efficiency in this area – and generate added value. Contact us.
Practice Leader Mastering Risk & Compliance
Field testing a hydrogen car for a day
Industrial Applications and Safety