GDPR: New EU regulation defines the handling of customer data

On 28 May 2018, the new General Data Protection Regulation (GDPR) will become effective. On one hand, the new set of rules determines how companies must protect personal data and on the other hand, how the free flow of data should be regulated.

GDPR supersedes the previous data protection directive (95/46/EC) from 1995. The protection of personal data was already anchored in the existing directive; but the requirements for companies were less strict. In comparison to other countries, data protection already has a particularly high significance in Germany and Switzerland. Even for companies which have implemented the "Federal Data Protection Act", urgent action is needed, as even minor changes to the regulations frequently mean that adjustments must be made to organisational processes, products, documentation obligation and IT. Existing contracts in B2B and B2C contexts must also be checked regarding GDPR and amended if necessary.

The following points are of particular significance in relation to the tightening of the legislation:

1. Transparency when handling customer data

Every EU citizen may ask how a company handles their personal data. Every company must be able to answer the following questions for all customers:

• Which personal data is stored?
• For what purpose is the data stored?
• Is personal data passed on to third parties? If so: which?

2. Obligation to report data that has been lost, stolen or accessed by unauthorised persons

In the case of a data breach, companies must notify the responsible data protection authority within 72 hours. For serious incidents it is also necessary to inform the affected persons.

3. Privacy by Design

Privacy by Design intends to minimise the collected data. This also includes the use of advanced encryption methods.

4. Privacy by Default

Along with the technical aspects, the standard settings of the used applications should be as private and privacy-friendly as possible. This ensures that personal data is not shared with the public.

5. Simple transfer of personal data

Customers, who wish to change providers, must be able to simply migrate their data. Therefore, the export and transfer of data must be barrier free, e.g. all documents can be exported in one data packet.

6. Name a data protection officer

Companies, which manage sensitive data, must employ a data protection officer. This requirement is already enforced in Germany today, and will be introduced in other countries such as Switzerland. The data protection officer can be internal or external to the company. It is recommended for most companies to fill this role as the topic of data protection is complex.

7. Data protection in non-member states remains problematic

The protection of customer data outside of the EU and Switzerland is still precarious because the data protection regulations of non-member states are often less strict. If companies wish to continue to protect data in non-member states, the evaluation of the EU Commission is to be observed. Data transfer to Switzerland is unproblematic due to the decision of the EU Commission.

8. Companies outside of the EU are also affected

The new data protection directive applies to all companies, which manage the data of EU citizens. As a result, many companies with their registered office outside of the EU area are also affected.

9. Infringements may be punished with heavy fines

Although the new legislation is very complex, it is important that all affected companies take steps to comply with it. After all, the penalties may assume existential proportions - in the worst case up to four percent of the worldwide annual turnover or up to 20 million euros.