Five tips for ensuring GDPR compliance

According to a recent report published by international law firm DLA Piper, the cumulative value of fines imposed for infringements of the EU’s General Data Protection Regulation (GDPR) rose by a mammoth 40 percent across Europe over the past year. Since the GDPR came into effect in May 2018, a total of 281,000 data breach notifications have been reported across Europe. Fines for infringing on the regulations range up to 20 million euros or four percent of global turnover. In Germany alone, fines amounting to 69.1 million euros have already been imposed. Even so, Germany’s digital association Bitkom found that only 20 percent of companies surveyed in Germany – Europe’s largest economy – have fully implemented the GDPR.

​One reason for this is the ongoing legal uncertainty surrounding it. The European Court’s (CJEU) ruling on the Privacy Shield adds confusion to the matter.

In the following list, Retarus has compiled some useful GDPR Tips to provide some clarity, especially for companies that are transferring personal data across the EU’s borders:

1. Clarify what personal data is being transmitted

Personal data comprises all manner of information on an identified or identifiable natural person such as name, location, online identifiers (e.g. IP addresses), as well as facts relating to physical, psychological, economic, or social identity. This even includes fax numbers and email addresses. Personal data is transferred when corresponding via email, fax, or SMS. Consequently, companies need to clarify which data they possess or gather, where it is stored, who processes the data, to where it is transferred, and whether the data is processed in compliance with the new legal framework.

2. Check if the company is making use of IT services provided by US companies

If companies are using IT services provided by US enterprises such as huge hyperscalers, they need to check very carefully whether their data exports meet the requirements of the GDPR, such as email security and archiving.

3. Review partners previously protected by the Privacy Shield

In July 2020, the European Court (CJEU) declared “Privacy Shield” – the data protection agreement between the EU and the USA – invalid and with immediate effect. The decision was based on the grounds that EU citizens and companies were not granted sufficient protection from American authorities accessing their data.

Companies are advised to check whether they are working with any companies that were previously covered by the “Privacy Shield”. Feel free to use the website for the Privacy Shield framework as a resource. Should this be the case, companies urgently need to clarify whether they are compliant with the GDPR. If in doubt, companies could request the service provider to issue a document confirming that data is not transferred to the USA at any point for processing, nor passed on to service providers in the USA, and that all data is processed exclusively in the EU.

4. Check SCCs and BCR carefully and complement if necessary

According to the European Data Protection Board (EDPB), it is also not necessarily permissible to simply use Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCR) as the legal basis for exporting data to the USA. This assessment also applies for the corresponding agreements involving countries such as China or Russia. The EDPB therefore advises companies that it is necessary to take “additional measures” to completely rule out the US intelligence services’ right to access personal data, a key issue which has been criticized by CJEU. Thus far, only preliminary recommendations for ensuring compliance have been issued by the EDPB. In addition, companies are permitted to continue transferring data to the USA in accordance with the special provisions for specific situations outlined in Art. 49 GDPR, as long as the conditions outlined in the regulation have been fulfilled. As an example, this may require an explicit declaration of consent from the person concerned.

5. Select a suitable, qualified cloud service provider

With the right cloud service provider on board, companies benefit from high-performance communication processes that are secure and flexible across all of their locations. At the same time, data protection in accordance with the GDPR should no longer be an obstacle when selecting potential cloud services, especially after the company has already paid attention to ensuring that all providers meet their data protection and security requirements. In the best case, the provider can guarantee local data processing within the EU, ensure that processing takes place in its own data centers (even during failover or maintenance activities), and steer clear of US-based hyperscalers.

For companies who would like to quickly check whether they are on the safe side with respect to data protection, Retarus has put together “7 Questions you should ask now”. The Munich-based business communication experts have also made a questionnaire available, free to download, which allows companies to easily check whether an IT service provider ensures data protection in accordance with the GDPR.

Informazioni su Retarus

Retarus è un provider globale di soluzioni cloud in grado di modernizzare e proteggere la comunicazione digitale e lo scambio di dati di aziende e autorità pubbliche. I prodotti principali comprendono il Cloud Fax digitale, SMS, Transactional Email, Email Security, Supply Chain Integration e Intelligent Document Processing. Retarus dispone di data center distribuiti in tutto il mondo, che forniscono queste soluzioni con i massimi livelli di performance, sicurezza e protezione dei dati. Retarus, con sede a Monaco di Baviera, è stata fondata nel 1992, è gestita dai proprietari ed è orgogliosa della sua forza innovativa. L'azienda impiega circa 500 persone in 20 filiali su cuattro continenti. Oltre la metà delle aziende quotate nell'S&P Global 100 si affidano a Retarus e, al pari dei principali analisti, confermano l'eccezionale qualità e affidabilità dei suoi servizi. Retarus offre i suoi prodotti in modo diretto e in stretta collaborazione con partner selezionati. Per ulteriori informazioni, visitare il sito: www.retarus.it