Since taking effect on May 25, 2018, the General Data Protection Regulation (GDPR) has had a significant impact on businesses worldwide. The GDPR was designed to protect the privacy of EU citizens and create a unified data protection regime within the EU. In practice, however, the GDPR has not only increased data protection, but also created a host of legal and practical challenges that pose significant difficulties for companies.

Scope of the GDPR

The GDPR applies to all companies in the EU that process personal data. Even companies outside the EU that offer services or products to EU citizens are required to comply with the complex requirements of the GDPR, even if they only process minimal amounts of data. While this may seem like a welcome unified level of protection at first glance, for many companies – especially small and medium-sized enterprises (SMEs) and international corporations – this regulation is creating a significant administrative burden.

For the companies concerned, this means that any processing of personal data – whether it be for marketing measures, the administration of customer contacts, the implementation of outsourcing projects or internal employee administration – must be carried out in accordance with the provisions of the GDPR.

This leads to a considerable amount of work and possibly high costs for the implementation of necessary data protection measures, without it always being clear whether this actually leads to better protection for the data subjects. In some cases, the solution may be to avoid the scope of the GDPR from the outset, e.g. by using anonymous or synthetic data. Where this is not possible, we will be happy to help you implement the GDPR requirements in the most practical and least disruptive way possible.

The main principles of the GDPR

The GDPR is based on a number of fundamental principles that govern the handling of personal data. These principles form the basis for the corresponding compliance measures:

  • Lawfulness, fairness and transparency: Data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
  • Purpose limitation: Data may only be collected and processed for specified, explicit and legitimate purposes. Further processing that is incompatible with these purposes is not permitted.
  • Data minimisation: Companies should only collect and process data that is absolutely necessary for the respective purposes. “As much as necessary, as little as possible” is the motto here.
  • Accuracy: It must be ensured that personal data is factually correct and up to date. Incorrect data must be corrected or deleted.
  • Storage limitation: Personal data may not be stored for longer than necessary. Companies must develop and implement clear data storage policies.
  • Integrity and confidentiality: Data must be protected by appropriate technical and organizational measures to ensure the security and confidentiality of the data.

Data Protection Challenges for Enterprises

GDPR compliance presents a number of challenges for organizations. These include:

  • Ensuring data security: Companies must take appropriate measures to protect personal data from unauthorized access, loss or misuse. This may include the use of modern encryption technologies, regular security checks and training for employees.
  • Managing Data Subject Rights: The GDPR grants data subjects a number of rights, including the right to access, rectify, erase, restrict, and object to the processing of their data. Organizations must ensure that they are able to fulfill these rights in an efficient and timely manner.
  • Documentation requirements and data protection impact assessment (DPIA): Companies are required to comprehensively document data processing activities and, in certain cases, to conduct data protection impact assessments to evaluate and minimize risks to the rights and freedoms of data subjects.
  • Data transfers to third parties: Many companies work with external service providers or transfer data to subsidiaries in other countries. In doing so, the requirements of the GDPR regarding order processing and international data transfers must be strictly adhered to. In particular, when transferring data to countries outside the European Economic Area (EEA), additional protective measures are required.
  • Processing of special categories of personal data: Article 9 of the GDPR classifies certain data as particularly sensitive, including health data. The processing of such data is subject to particularly strict requirements regarding the basis for processing and requires additional safeguards. This is particularly relevant if such data is to be used to train AI. At the same time, it should be emphasized that, among other things, Art. 10 para. 5 of the AI Act permits such use to the extent strictly necessary for the detection and correction of biases associated with high-risk AI systems.
Data protection is an interdisciplinary team effort. Law and technology must be aligned.

The GDPR requires companies to handle personal data with the utmost care. A comprehensive understanding of the GDPR and its technical implementation is therefore essential for the sustainable success of a company in the modern, data-driven world.

Aitava offers the highest level of consulting on challenging privacy issues. Our highly qualified data protection experts combine in-depth academic and practical knowledge with deep technical expertise to provide you with customized and practical solutions. With us by your side, you can navigate the complexities of GDPR with confidence and elegance.

Ready?

We navigate you through the data protection jungle.

AI & Data

Staying ahead means knowing about opportunities for action at an early stage. Aitava specializes in consulting on artificial intelligence and data economics.

IT & Cloud

We combine legal and technical expertise in software and cloud projects, IT outsourcing and data protection.