Even those who have not managed to make all the necessary adjustments to the EU GDPR in good time do not need to start feeling anxious about the regulatory authorities. Most national data protection bodies are stressing that they are still creating the necessary conditions for implementation of the new regulation.
However, as of now, there is a danger lurking from another direction, because non-compliance may now also result in a written warning. And there is reason to fear that some lawyers will specifically go hunting for typical problems. These GDPR “ambulance chasers” will simply use internet searches to make some quick money with little work. With this in mind, SMEs in particular should prioritise the elimination of all problems that can be easily found using search engines. Even sole proprietors would be well advised to take this into account on their websites.
And the rules for websites also apply to other forms internet communication such as newsletters. One particular new feature is the switch from opt-out to opt-in when obtaining declarations of consent. This means that subscribers have to explicitly give consent, as it is no longer sufficient to just provide an opt-out option. As a result, the previous practice of taking agreement for granted as long as no explicit objection is made, e.g. when concluding a contract, is no longer legal. This also applies to the practice of having pre-set check marks in online forms. Interested parties now have to explicitly put the tick in the checkbox themselves.
A contract covering order data processing has to be concluded with service providers that process personal data. Most providers have been prepared for this for a long time and have produced suitable standard agreements. Anyone using access analysis tools or administering a web server themselves has to remember that according to the latest legal debates IP addresses are generally regarded as personal data.
Another new requirement is that IT systems have to be secured using state-of-the-art means to protect the data from misuse or theft. There is a lot of discussion going on about what is actually considered the state-of-the-art. However, contrary to previous practice, now in the event of a loss a claimant no longer has to provide evidence of deficiencies but the company has to provide proof that sufficient security precautions were taken. This is something that is also likely to keep the courts busy.
All contact persons, whether customers or job applicants, can demand information at any time about the data stored about them and may also ask for this data to be deleted. SMEs also need to be prepared for these kinds of inquiries. The previous principle, that a use of personal data is only admissible if there is a legal basis for it or if the individual concerned has given their consent to it, is retained. The simplest measure to achieve compliance is often overlooked: it's best to destroy data that is no longer needed.
You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.