The European General Data Protection Regulation presents companies with new legal challenges
General Data Protection Regulation

European General Data Protection Regulation

Since 25 May 2018, a uniform data privacy law has taken effect throughout all European Union countries

The European Commission gave its Member States and companies two years in which to make the necessary adjustments. Since the end of May 2018, they have had to comply with the requirements of the General Data Protection Regulation.
Testbild mit Text
Frank Wagner

Group Privacy, VP Business, Services & Infrastructure

Digital success for Europe – Secure European networks and data

Digitalization holds huge potential for the citizens and the institutions of the EU. A modern and digital Europe will be built on reliable communication networks, secure data and digital trust. A short video shows how T-Systems empowers public authorities and companies in Europe – through networks, in the cloud, and with security by design.

More Videos

Identical data privacy regulations throughout the European Union

With the General Data Protection Regulation (GDPR), the European Union has created the legal foundations for a uniform digital single market. Its 99 articles introduced countless new obligations for companies and gave EU citizens more protective rights for their data. The obligation to produce supporting documents, privacy by design, the right to be forgotten and the obligation to notify data breaches – there is a long list of conditions, and companies needed to act swiftly to comply with the rules. As well as obligations and risks, however, the General Data Protection Regulation also created opportunities: a uniform legal framework offered better prospects for establishing new business models across Europe.
"It's time to act. There is no way around it, because the deadline will definitely not be extended any further”, warned Jan Philipp Albrecht. The European Parliament’s rapporteur on the General Data Protection Regulation was urging companies to address the data privacy regulations without delay. Ever since the more stringent provisions of the General Data Protection Regulation came into force in May 2018, breaches were liable to hefty fines.

Data privacy breaches are costly

Any companies that fail to observe the regulations on the storage and processing of personal data face fines of 20 million euros, or up to four percent of their gross global sales. Despite this, a survey in 2018 by the industry association Bitkom found that one-third of companies have at that time not addressed this issue at all, and only 13 percent have had adopted or implemented initial measures. Hence, it seemed that the majority of German companies were not prepared for the GDPR. Many companies had to introduce new technical/organizational measures and data handling procedures, train and sensitize personnel in data privacy, and implement new software and processes, for example with regard to data management and compliance management.

Are cloud services compliant with the new data privacy law?

Among companies, IT departments in particular are under the spotlight, faced with deciding whether the use of cloud services is data privacy-compliant. The answer? It depends. Firstly, data privacy regulations such as the General Data Protection Regulation only apply to personal data, although this now affects the majority of applications.
Secondly, the offerings of the numerous cloud providers differ in several respects. For public cloud services and software-as-a-service offerings in particular, the physical location of the data center and the country that manages the cloud services are pivotal. Whether or not personal data leaves Germany and/or the European Union is the key issue here. This is the case as soon as the data appears on a support employee’s screen outside of the European Union.

Open Telekom Cloud is compliant with the General Data Protection Regulation

Deutsche Telekom and T-Systems designed their public cloud offering with a view to the stringent requirements of the General Data Protection Regulation, in order to give companies security: The Open Telekom Cloud already meets all the requirements of the Federal Data Protection Act, as confirmed by the data privacy organization Stiftung Datenschutz, which awarded it the recognized “Trusted Cloud Data Privacy Profile (TCDP 1.0)” certificate. This seal of quality aligns with the requirements of the GDPR, and the Open Telekom Cloud satisfies these requirements.

Opinions on the topic

What points must companies observe in conjunction with the GDPR?

  • Structure data storage and management – personal data must be promptly locatable
  • Observe the record-keeping and documentation requirements, and keep procedure logs
  • Meet the short deadlines for notifying data privacy breaches – or face a hefty fine
  • Introduce a compliance management system for data privacy
  • Raise awareness of data privacy and the GDPR within the company – train staff and establish new processes
  • Involve external employees, service-providers and subcontractors in compliance strategies
  • Incorporate data privacy requirements at the software development and product design stage (Privacy by Design and Privacy by Default): “Built-in data privacy ex works”
  • Anonymize or pseudonymize data for test and development purposes – or obtain the client’s explicit consent for the use of his real data
  • For data vaulting in the cloud, avoid “vendor lock-in” and clarify procedures for possible retransfer