Good data protection management is the hygiene factor of IT resilience. The General Data Protection Regulation (GDPR) has been in force in Germany and throughout Europe (EU) since May 25, 2018 – the cleaning order for your resilience apartment, so to speak. The GDPR regulates how companies handle personal data. The GDPR is a regulation – so it no longer needs to be transposed into national law. It also applies to companies from countries outside the European Union if they process the data of EU citizens. The actual intention of regulating the personal data processing of large tech companies (Google, Facebook, Twitter) in particular also affects all medium-sized companies. Yes, even small blogger websites.
What is personal data?
Personal data is data that is not collected completely anonymously and can therefore be assigned to a specific person. This includes name, income, addresses, date of birth, email addresses, even photos and people’s surfing and clicking behavior.
It doesn’t matter where this personal data comes from – whether from online forms, CRM measures, data purchases or the internal HR system – if it comes from EU citizens, it falls under the GDPR. The obligations for companies do not end with updating the privacy policy on the website. Companies should also put their databases to the test.
Personal data available? Companies have a duty
The GDPR reverses the burden of proof. This means that if a person wants information about whether and why your company is processing this person’s data, you must be able to prove that you are either not processing any personal data or that the requested copy corresponds to the data status at the time of the request and is complete. All data from internal IT systems and from all processors must be taken into account. In the event of a complaint by a data subject to the supervisory authorities, you must prove when which information was provided and which corrections or deletions were made.
Another important requirement of the GDPR is the right to be forgotten. At the customer’s request, you must delete personal data immediately – provided there is no longer a contractual or legal basis. Furthermore, personal data for which the purpose of use no longer exists must be deleted. For example, if a contract has expired or an employee has left the company.
Personal data may only be used if there is a legal basis for this, for example in the form of personal consent. Incidentally, parental consent must also be obtained from the outset for the use of data of underage children (under 16).
Data protection for databases
Avoid basic mistakes: At the beginning, we defined what personal data is. Companies are often certain that they do not have any personal data that has been stored without authorization. The problem is that data record fragments and incorrect data record duplicates, in which, for example, the name is misspelled but the email address is correct, can also become an issue. The challenge is therefore – especially in databases that are not always accurately maintained – to track down and fully list distributed personal data, including all multiple and incorrect entries. Ultimately, all data that makes it possible to identify a person through research is affected.
3 important steps for your GDPR check for databases
Suitable data protection software or a data quality tool can help companies gain greater transparency with regard to their data protection compliance.
1. At the beginning, a database analysis is carried out to check its GDPR compliance. Ideally, this data inventory is carried out across all systems. You will often encounter the challenge that old databases exist that can no longer be administered and personal data cannot be deleted. In such cases, the software architecture and the links within the software and to other relevant databases are checked.
2. During the subsequent database analysis, you use the software to check which data types are available, whether all relevant fields are filled and whether the format is correct.
3. The next step is to define which personal data needs to be erased or anonymized. Based on the defined requirements, a data model is created that is used for cleansing (deletion or pseudonymization) and – if desired – for the retrieval of information. Ideally, a regular process for cleansing is defined directly here and anchored in a deletion concept. The whole thing is a flexible, iterative process that involves the customer and is transparent and traceable.
Check database data quality – without downtime
Data is the fuel of digital transformation. It is valuable and its handling is regulated by the GDPR. Data and the databases that contain it must be maintained accordingly. Only then can they open up new potential for a company and not inadvertently become a problem for fines. The analysis and subsequent backup are necessary and predestined to be digitally automated. Data quality tools are one solution. These solutions ensure data quality through daily analyses in the background.
Create a data deletion concept
Even if it is understood that people whose data has been processed by companies have a right to erasure, many data processors are still unclear about when, how and under what circumstances data must be systematically erased. To avoid taking this risk – and thus incurring high fines – unknowingly, data protection officers should not only be familiar with the content of the GDPR, but also be able to provide their colleagues with assistance at all times.
A proven strategy is to start your own initiative for a deletion concept. This implements a cross-silo deletion routine in the company that can also be understood and applied by those not responsible for data protection.
