What data protection means for companies and how companies can fulfil their data protection obligations

What is the GDPR?

In the real world, you have the right to privacy. The GDPR ensures that this privacy also applies in the digital world. To ensure this privacy, the GDPR regulates what rights each of us has and what obligations a company must fulfil. Sounds obvious, doesn't it?

The GDPR is an EU-wide regulation that covers the protection of personal data of every EU citizen. This means that every company that collects, stores and processes the data of EU citizens must comply with the GDPR - regardless of the country in the world in which the company is based and the EU citizen is located.

What Does the GDPR mean for companiesemer and SMEs in particular?

Many companies associate data protection with the data protection declaration on their website. But data protection is more than that. The most important obligations for companies are briefly summarised here:

• Register of processing activities (VVT): This is where you document all processes in which you collect, store or process personal data. If you manage the VVT properly, you have already laid the foundation for all other obligations.
• Technical and organisational measures (TOM): This defines how you protect personal data in your company.
• Data protection impact assessments (DPIA): Here you analyse the risks of your data processing for the data subjects and take additional protective measures if necessary.
• Order processing agreements (AVV): You conclude these contracts with external companies that process personal data on your behalf, e.g. your tax advisor, website operator or Microsoft because you use Outlook.
• Data protection declaration: Here you explain to your customers exactly what data you collect, what you do with this data, who else is involved in the processing and how long you keep the data.
• Deletion concept: Determine when and how you delete data to protect your customers' rights.
• Consent management (Consent Management): If you require the consent of your customers for data processing, you must document and manage this.
• Dealing with data protection incidents and enquiries: Be prepared to deal with data breaches and requests from customers for their data.
• Regular review: Ensure that all measures and documents are always up to date.
• Data Protection Officer (DPO)Is required by most companies and ensures that all GDPR obligations are implemented correctly. The DPO is also the point of contact for data protection issues both within the company and for external persons and organisations such as the data protection authority.

In addition to the above-mentioned obligations, you should always observe the following data protection principles:

• Only collect data that you really need to fulfil a purpose.
• Make data accessible only to those who really need access.
• Do not use data for purposes that your customer has not consented to.
• Delete data when you no longer need it

You can find more blog posts on the individual obligations and how best to tackle them as an SME on metasoul.com.

The problem for many SMEs

Implementing the GDPR requires time, knowledge and money. Many SMEs feel overwhelmed and ignore the rules - with the risk of high penalties. But penalties are not the only problem. Although not as present in the media, companies are much more frequently confronted with claims for damages because lawyers or private individuals have found inconsistencies in the company's data protection practices. Potential reputational damage and negative defamation are further consequences of violations that are publicised.

Who is liable for data protection offences?

Liability for breaches of the GDPR lies primarily with the companies or organisations that process the data. A breach exists if one of the aforementioned obligations is not fulfilled. Important: If it is proven that data protection regulations have been ignored, the management is also liable with its private assets. 

How Metasoul helps you to fulfil the GDPR requirements?

Metasoul supports you in complying with your duty of care with regard to the GDPR and thus avoiding penalties and personal liability:

• Save timeAutomatic creation of documents through the creation of a company profile.
• No specialised knowledge requiredYou don't need to be a data protection expert. Metasoul explains everything you need to know on the way to GDPR compliance in an understandable way, with simple step-by-step instructions via clearly structured task management.
• Favourable solutionSave money compared to expensive consultants or penalties with an affordable subscription model.

While you can currently use Metasoul to manage the register of processing activities, relevant TOMs and your processors, you will soon be able to create data protection declarations and processor agreements at the touch of a button. If you ever have a burning question, you can ask it via our support function. You won't be left in the lurch.

Conclusion

The GDPR is an important regulation that strengthens the protection of personal data in the EU. However, violations can have serious consequences, including heavy fines. Companies should therefore ensure that they comply with the provisions of the regulation to protect themselves and their customers. Metasoul can help save time and money as well as compensate for a lack of data protection expertise.