The European General Data Protection Regulation presents companies with new legal challenges
General Data Protection Regulation

European General Data Protection Regulation

On May 25, 2018, an uniform data privacy law will take effect throughout all European Union countries

The European Commission gave its Member States and companies two years in which to make the necessary adjustments. This deadline is now looming. From the end of May 2018, they must all comply with the provisions of the new General Data Protection Regulation.
Bram Renmans – Sales Operations & Marketing Manager
Bram Renmans

Sales Operations & Marketing Manager

European General Data Protection Regulation

The General Data Protection Regulation applies to everyone undertaking commercial activities within the EU, whether corporate groups or small-scale entrepreneurs.

More Videos

Identical data privacy regulations throughout the European Union

With the General Data Protection Regulation (GDPR), the European Union has created the legal foundations for a uniform digital single market. Its 99 articles introduce countless new obligations for companies, while giving EU citizens more protective rights for their data. The obligation to produce supporting documents, privacy by design, the right to be forgotten and the obligation to notify data breaches – there is a long list of conditions, and companies must act swiftly to comply with the new rules. As well as obligations and risks, however, the General Data Protection Regulation also creates opportunities: a uniform legal framework offers better prospects for establishing new business models across Europe.
"It's time to act. There is no way around it, because the deadline will definitely not be extended any further”, warns Jan Philipp Albrecht. The European Parliament’s rapporteur on the General Data Protection Regulation is urging companies to address the new data privacy regulations without delay. Once the more stringent provisions of the General Data Protection Regulation come into force in May 2018, breaches will be liable to hefty fines.

Data privacy breaches will be costly

Any companies that fail to observe the regulations on the storage and processing of personal data face fines of 20 million euros, or up to four percent of their gross global sales. Despite this, a recent survey by the industry association Bitkom found that one-third of companies have yet to address this issue at all, and only 13 percent have adopted or implemented initial measures. Hence, it would seem that the majority of German companies are not prepared for the GDPR. Many companies will have to introduce new technical/organizational measures and data handling procedures, train and sensitize personnel in data privacy, and implement new software and processes, for example with regard to data management and compliance management.

Are cloud services compliant with the new data privacy law?

Among companies, IT departments in particular are under the spotlight, faced with deciding whether the use of cloud services is data privacy-compliant. The answer? It depends. Firstly, data privacy regulations such as the General Data Protection Regulation only apply to personal data, although this now affects the majority of applications.
Secondly, the offerings of the numerous cloud providers differ in several respects. For public cloud services and software-as-a-service offerings in particular, the physical location of the data center and the country that manages the cloud services are pivotal. Whether or not personal data leaves Germany and/or the European Union is the key issue here. This is the case as soon as the data appears on a support employee’s screen outside of the European Union.

Open Telekom Cloud is compliant with the General Data Protection Regulation

Deutsche Telekom and T-Systems designed their public cloud offering with a view to the stringent requirements of the General Data Protection Regulation, in order to give companies security: The Open Telekom Cloud already meets all the requirements of the Federal Data Protection Act, as confirmed by the data privacy organization Stiftung Datenschutz, which awarded it the recognized “Trusted Cloud Data Privacy Profile (TCDP 1.0)” certificate. In future, this seal of quality will be aligned with the requirements of the GDPR, and the Open Telekom Cloud is of course expected to satisfy these requirements.

Opinions on the topic

What points must companies observe in conjunction with the GDPR?

  • Structure data storage and management – personal data must be promptly locatable
  • Observe the record-keeping and documentation requirements, and keep procedure logs
  • Meet the short deadlines for notifying data privacy breaches – or face a hefty fine
  • Introduce a compliance management system for data privacy
  • Raise awareness of data privacy and the GDPR within the company – train staff and establish new processes
  • Involve external employees, service-providers and subcontractors in compliance strategies
  • Incorporate data privacy requirements at the software development and product design stage (Privacy by Design and Privacy by Default): “Built-in data privacy ex works”
  • Anonymize or pseudonymize data for test and development purposes – or obtain the client’s explicit consent for the use of his real data
  • For data vaulting in the cloud, avoid “vendor lock-in” and clarify procedures for possible retransfer