What to Prepare for the EU Data Protection Regulation 2018

The EU Data Protection Regulation is a great thing. Its main advantage is to harmonise the European law and simplify the structure. That means that it will lead to a more uniform design of all product and service providers who want to sell within the EU or even from outside the EU.

Currently the EU Data Protection Regulation gets a lot of attention due to the high fees in case of non-compliance. In addition, the regulation contains a novelty: the possibility of a class action, which is not commonplace in the European area.

What is the EU Data Protection Regulation?

The data protection regulation concerns above all the personal data. By principle this includes all data that makes a person identifiable, such as IP addresses, geodata, etc.

The Consequences of the Reversal of the Burden of Proof

The essential point of the Data Protection Regulation is the reversal of the burden of proof. Thus, the company has to prove that it does nothing wrong with the data of its customers. So far, this process has generally been reversed per se, so that the customer or website user had to prove to the company that the company had acted reprehensibly.

In order to meet this burden of proof, we recommend a processing directory for each company that documents the company’s order and data processing. This also suggests that user data should be forgotten or deleted, for example, as soon as they are e.g. no longer needed for an order processing.

In addition, it makes sense to take a data protection impact assessment in order to act in a transparent way for users and companies. As part of a new software development, this principle must be a priority during development. This can be summarized under the claim “Privacy by Design”.

Each Data Collection asks for a Legal Basis

Only those data surveys are legitime, that are imperative to fulfill the contract or based on a clear voluntary consent. The last-mentioned case includes for example active signups to a newsletter via double opt-in. Nevertheless a right of revocation must be granted. The cases in which there is a legitimate interest in data may also be lawful under Article 6 (1) (f) GDPR. An assessment is made on the basis of the following criteria: type of data, transparency, data sensitivity, degree of data encryption, pseudonymisation and right of objection. This third aspect opens up a certain scope for considerations of interest.

Privacy Information requires Supplementation

The privacy policy should define who is responsible in a simple and easy-to-understand language. In addition, the purpose and legal basis of the data processing and the recipient of the data must be mentioned. Data transfers to non-European countries and the storage period must also be included. For companies with more than ten employees, the announcement of their own data protection officer is mandatory.

Extension of the Persons Concerned

The Sample of E-Mail Marketing

E-mail advertising is only allowed, if an explicit consent has been given. If the e-mail addresses of existing customers appear in a mailing that does not have explicit consent, this is legally incorrect. It calls for a final interpretation to what extent such a coupling of data use is legitimate.

In general, data may only be stored as long as its needed for a user-confirmed purpose. The data can only be submitted to third parties under very strict conditions on the case of a clear legitimate interest.

Immediate Duties

An update of your company’s privacy information is essential. In addition, you should be aware of what user data you collect in your organization and how you proceed those data. Identify all data processors and review the formulations of forms and privacy information. Make sure you have your own processing directory. Ensure it’s easy to understand when, where, why, and how long you’re collecting user data. If users request that information, the company is obliged to provide comprehensive information in time.

Corresponding support can also be found at Trusted Shops.