Five tips for ensuring GDPR compliance
Despite increased fines and “Privacy Shield” being invalidated by CJEU, only one out of five companies is currently in full compliance with the EU’s stringent data protection regulations
Milano, 11/02/2021 // Internationally active companies would be well advised to urgently check the state of their data protection and make certain that the digitalization of their communication processes also ensures compliance with the GDPR. Cloud service provider Retarus, which for decades has been supporting companies to process their communication data in compliance with the law, points out the key factors which need to be considered.
According to a recent report published by international law firm DLA Piper, the cumulative value of fines imposed for infringements of the EU’s General Data Protection Regulation (GDPR) rose by a mammoth 40 percent across Europe over the past year. Since the GDPR came into effect in May 2018, a total of 281,000 data breach notifications have been reported across Europe. Fines for infringing on the regulations range up to 20 million euros or four percent of global turnover. In Germany alone, fines amounting to 69.1 million euros have already been imposed. Even so, Germany’s digital association Bitkom found that only 20 percent of companies surveyed in Germany – Europe’s largest economy – have fully implemented the GDPR.
One reason for this is the ongoing legal uncertainty surrounding it. The European Court’s (CJEU) ruling on the Privacy Shield adds confusion to the matter.
In the following list, Retarus has compiled some useful GDPR Tips to provide some clarity, especially for companies that are transferring personal data across the EU’s borders:
1. Clarify what personal data is being transmitted
Personal data comprises all manner of information on an identified or identifiable natural person such as name, location, online identifiers (e.g. IP addresses), as well as facts relating to physical, psychological, economic, or social identity. This even includes fax numbers and email addresses. Personal data is transferred when corresponding via email, fax, or SMS. Consequently, companies need to clarify which data they possess or gather, where it is stored, who processes the data, to where it is transferred, and whether the data is processed in compliance with the new legal framework.
2. Check if the company is making use of IT services provided by US companies
If companies are using IT services provided by US enterprises such as huge hyperscalers, they need to check very carefully whether their data exports meet the requirements of the GDPR, such as email security and archiving.
3. Review partners previously protected by the Privacy Shield
In July 2020, the European Court (CJEU) declared “Privacy Shield” – the data protection agreement between the EU and the USA – invalid and with immediate effect. The decision was based on the grounds that EU citizens and companies were not granted sufficient protection from American authorities accessing their data.
Companies are advised to check whether they are working with any companies that were previously covered by the “Privacy Shield”. Feel free to use the website for the Privacy Shield framework as a resource. Should this be the case, companies urgently need to clarify whether they are compliant with the GDPR. If in doubt, companies could request the service provider to issue a document confirming that data is not transferred to the USA at any point for processing, nor passed on to service providers in the USA, and that all data is processed exclusively in the EU.
4. Check SCCs and BCR carefully and complement if necessary
According to the European Data Protection Board (EDPB), it is also not necessarily permissible to simply use Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCR) as the legal basis for exporting data to the USA. This assessment also applies for the corresponding agreements involving countries such as China or Russia. The EDPB therefore advises companies that it is necessary to take “additional measures” to completely rule out the US intelligence services’ right to access personal data, a key issue which has been criticized by CJEU. Thus far, only preliminary recommendations for ensuring compliance have been issued by the EDPB. In addition, companies are permitted to continue transferring data to the USA in accordance with the special provisions for specific situations outlined in Art. 49 GDPR, as long as the conditions outlined in the regulation have been fulfilled. As an example, this may require an explicit declaration of consent from the person concerned.
5. Select a suitable, qualified cloud service provider
With the right cloud service provider on board, companies benefit from high-performance communication processes that are secure and flexible across all of their locations. At the same time, data protection in accordance with the GDPR should no longer be an obstacle when selecting potential cloud services, especially after the company has already paid attention to ensuring that all providers meet their data protection and security requirements. In the best case, the provider can guarantee local data processing within the EU, ensure that processing takes place in its own data centers (even during failover or maintenance activities), and steer clear of US-based hyperscalers.
For companies who would like to quickly check whether they are on the safe side with respect to data protection, Retarus has put together “7 Questions you should ask now”. The Munich-based business communication experts have also made a questionnaire available, free to download, which allows companies to easily check whether an IT service provider ensures data protection in accordance with the GDPR.
About Retarus
Retarus is a global provider of API