In May 2018, the new EU General Data Protection Regulation DSGVO came into force for companies. In the event of non-compliance with the requirements, there is a risk not only of high penalties but also of a loss of customer confidence. We have compiled the most important requirements of the GDPR for companies and show how to implement them efficiently.

Scope of the GDPR for companies

The General Data Protection Regulation (GDPR) – known as DSGVO in this country, consists of 99 articles and regulates how citizens’ personal data must be stored and protected in internal EU transactions.

Who has to comply with the GDPR?

Companies that store or process personal data of EU citizens must comply with the guidelines from May 25, 2018. The regulations apply equally to all 28 EU member states.

The most important requirements of the GDPR for companies at a glance:

• 
  Article 5 – Processing of data

  
  Personal data must be processed in a manner that ensures appropriate security – including protection against unauthorized or unlawful processing by appropriate technical and organizational measures.
  

• 
  Article 15 – Right of access

  
  EU citizens have the right to know, upon request, which of their personal data a company uses and for what purposes.
  

• 
  Article 17 – Right to erasure

  
  Companies must delete the personal data of an EU citizen upon request.
  

• 
  Article 20 – Right to data portability

  
  The citizens of the European Union may, upon request, arrange for the transfer of their personal data.
  

• 
  Articles 25, 32 – Data protection

  
  Companies must take appropriate technical and organizational measures to ensure an adequate level of protection (e.g., encryption of data).
  

• 
  Articles 33, 34 – Reporting obligation

  Companies must report security incidents to the competent authorities and also to the affected persons within 72 hours of becoming aware of them

• Article 35 – Impact assessment
  Companies are required to conduct a privacy impact assessment that addresses the risks to EU citizens. The assessment must also provide information on what measures the company is taking to minimize the risks that have arisen.
• Articles 37, 38 & 39 – Data Protection Officer
  Companies that store or process large amounts of personal data of EU citizens and conduct regular data audits are required to appoint a data protection officer. This person has to ensure both the data protection strategy and the GDPR compliance.
• 
  Article 83 – Penalties

  
  In the event of violations, companies may be subject to fines of up to 20 million euros or four percent of total global sales.
  

Significance of the GDPR for companies: Conclusion

The GDPR has two primary implications for companies: First, they must make the necessary technical and organizational adjustments to comply with the legal requirements. On the other hand, these adjustments must be reflected in an economic framework so as not to jeopardize competitiveness. For both areas, the use of suitable software is an elementary component, without which efficient work is hardly possible.