Most companies are now aware that the General Data Protection Regulation, or GDPR for short, involves a whole host of responsibilities. The consequences of non-compliance are best illustrated by the recent case of Deutsche Wohnen SE. On 5 November 2019, the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit) announced that it had issued the real estate company with a penalty notice of EUR 14.5 million for breaching the General Data Protection Regulation. Back in 2017, the authorities had established that the archiving systems being used by the company make no provision for deleting data that is no longer required and that no retention periods are given for tenants’ records. Despite the corresponding suggestions made by authorities, the shortcomings identified have not been rectified, as became apparent in a repeat audit in March 2019.
Be GDPR-compliant with standardized deletion and retention concepts
This is by no means an isolated case. Retaining and deleting data in a legally compliant manner still poses major challenges for many companies. The standard DIN 66398 provides a helpful framework in this regard. Many IT systems also offer the option to incorporate retention and deletion periods into their configuration without any significant effort – SAP, for example, already offers this with its “Information Lifecycle Management”.
For companies that are not completely sure about how to implement GDPR correctly or do not have sufficient capacity to do so, it can be helpful to obtain advice from external specialists. TÜV Rheinland has already supported numerous medium-sized businesses with its Data Protection-Compliant Deletion and Retention Concept service. The aim of this service is to establish the most consistent standards possible at management level across business units and regions in order to ensure universal applicability and sustainability. When it comes to technological implementation requirements, the complexity of the IT structure must be taken into consideration. TÜV Rheinland takes an interdisciplinary approach here, with lawyers and IT experts working together in our project teams to develop practical and legally compliant solutions.*
The bottom line – establish data protection as a compliance discipline
The recent record fine imposed on the aforementioned real estate company makes it clear that the supervisory authorities’ increasingly stringent approach to levying fines could pose a threat to the existence of companies – reason enough to seriously address the requirements of the General Data Protection Regulation. More and more businesses are now incorporating the issue of data protection into their compliance activities, an approach supported by TÜV Rheinland’s data protection specialists. It may be useful to expand existing compliance management systems (CMS) to include data protection requirements or directly implement an integrated CMS with a data protection component.
* Deletion categories and data types must be defined in the catalogue of deletion rules and their retention and deletion periods must be identified. The mechanisms required to implement application-related deletions in accordance with Article 17 GDPR are also integrated. Mapping the IT landscape and interfaces accordingly can provide further added value for companies. This often leads to a focus on the neglected area of “shadow IT”, which can be added to the latest documentation.