The General Data Protection Regulation (GDPR) brings with it many new tasks. But where is the best place to start and what can be implemented as quickly and easily as possible without external help? Since our tips on data protection for start-ups have been very popular, here is another guide. Our clear and practical guide shows the most important steps that we have identified in about 100 GDPR projects in order to avoid falling into avoidable traps in front of customers and supervisory authorities.
The following steps can and should be implemented by every company - it's actually quite easy and saves a lot of (compliance) work later on, whether with support or without:
The first step is incredibly easy and quick to implement, but is often forgotten! Even as a young company, you usually already use countless cloud tools and platforms from external service providers. In most cases, data is also exchanged here or administrative access is possible. The most important foundation is the conclusion of so-called order processing contracts, or also: data protection contracts or data processing agreements, if you work together with English services. From many years of experience we can say that by now all known providers provide templates, if you only ask. In most cases, these are standardised templates that are sufficient for most companies and (e.g. at Google, AWS, LexOffice, Telekom & Co.) can simply be downloaded in the account dashboards. A quick win in data protection, so to speak, and not least for supervisory authorities one of the basic requirements for commissioning external data processors. The GDPR knows that in a globalised "digital economy", data does not remain in one's own company. However, to ensure that the data economy does not become the Wild West and that one's own customer or employee data is used for any purpose by the analytics tool or the HR cloud, contractual agreements with the service providers are mandatory.
Another important requirement is loosely worded: know your data-processing processes and applications! Some founders will now say "I know my company inside out". Others may be disillusioned: Who all has admin access to the customer database? Are our OneDrives or GoogleDrives really only used for company data? Does our HR tool store employee data only in Germany or also outside the EU? What data does the webhook in Zapier access? Or much more simply: what data do we send to tax consultants and tax authorities every month? The GDPR requires a register of processing activities in order to be able to say and describe what exactly happens to the data and, more importantly, why this happens and on what legal basis (e.g. sending newsletters based on consent; processing employee data in the HR database based on the employment contract; evaluating anonymous website usage statistics in the context of legitimate interests)! Meanwhile, many great, free templates can be found on the internet, e.g. a detailed content description from BITKOM. Alternatives to Excel and Word are external platforms and applications to make documentation work easier, a tool for documenting the tools, so to speak. But please do not forget the documentation tool in the list!
The GDPR takes a stricter approach to consent and data-relevant customer information than the previous data protection law (BDSG). A core element of the new data protection law is increased transparency obligations. This is also one of the reasons why everyone is "enlightened" by cookie banners and similar information measures. More important than a - possibly superfluous - cookie banner are comprehensible consent forms and readable data protection declarations (our data protection declaration can gladly serve as an exemplary starting point for the guide). Regardless of the size of the company and the area of activity, it is important to bring the data protection statement up to date and "what you do with the data" to the point in an understandable way. According to Jan Philipp Albrecht, legal texts "by lawyers for lawyers" that are incomprehensible to consumers will be a no-go in the future! The situation is similar with consent texts: The information relevant to consent should never (!!!) be hidden in long passages of text, but must be provided in the simplest and most comprehensible language possible. Checkboxes must not be pre-filled and the final confirmation button should be as close as possible to the consent text.
Nothing works without awareness! Some of you will already have noticed that since the GDPR, data protection has become a popular (or, thanks to annoying info-mail spam and cookie banners, an unpopular) topic, even among employees. At the very least, there are likely to be many unanswered questions and ambiguities. It is therefore important that the management fulfils its responsibility under data protection law (keywords: data protection management & accountability) and has regular data protection training or DSGVO workshops carried out. Here, the new operational requirements in data protection should be explained, but the focus is on communicating new rights to end customers and employees. If no data protection officer has been appointed in the company to conduct the training, external training solutions, lectures or webinars are also conceivable.
The last step of this guide might as well be in the first place. The GDPR pays special attention to strengthening the rights of data subjects. Who is a data subject? This can be end customers, employees, but also mere visitors to our own website. In other words, (natural) persons who are "affected" in some way by our handling of data (e.g. by recording the IP address when they visit our website). Without getting lost in details, every company should ensure the following points from the very beginning: