top of page
Does_GDPR_affect_you4.jpg

Data Protection & Data Processing
How are you affected by the GDPR ?

(GDPR = General Data Protection Regulation)

As certified Data Protection Officer and Data Protection Auditor, I am a GDPR expert who is able to find solutions, and advise you on all questions related to the GDPR.

Good to see ya!

Are you processing data of European Citizens?

Perhaps you offer Immigration services, Real Estate services, or customers use your online store. If you process data from European Citizens, then you have to comply to the GDPR!

So, let's talk about data protection, data processing, and how the General Data Protection Regulation (GDPR) affects you.

First of all, data protection is not bad and not superfluous. From its original meaning, data protection helps you to ensure that your personal information and the information of your customers is protected.

In the business context, we are heavily influenced by the laws of the states and countries in which our customers live. If your company has a strong focus on California, you must observe and implement the requirements of the CCPA. As a healthcare provider in the US, you are subject to the HIPAA requirements and if your customers are in Europe, you must implement the GDPR requirements.

It is not sufficient to just put a privacy policy on your website!

 

Due to the territorial principle of the GDPR, it is valid worldwide for all companies that regularly process data from customers in Europe.

 

It is important that you make sure that all of your processes are GDPR compliant.

Some information about the GDPR

The GDPR was passed in 2016 and became fully effective in May 2018. Failure to the implementation of the GDPR can result in severe fines. Companies like Microsoft, Meta Platforms, Accor, Volkswagen, Google, Amazon, or Grindr had to pay severe fines.

In many cases, the fines could have been eliminated by very simple measures. For example, Grindr passed on customer location data without any legal basis. Additionally, Grindr's privacy policy was incomplete.

Let's be honest, in how many cases do we accept that an app is tracking us? If the corresponding message appears on our iPhone, we accept it to have peace of mind and focus back on other things.

As a company, we must consider what our basis for data processing is. Is there a contract, a legitimate interest, or do you need the customer's consent?

 

This example might shed some light on what the GDPR does. It creates a legal framework for people who live in Europe and whose data we are processing. The CCPA does the same with respect to California residents.

The aim of these regulations is to give customers control over their own personal data and to make companies accountable for how they handle customers' data. As already explained, this concerns both the websites of the individual companies and the processes of the companies in which customer data is processed.

The GDPR influences a large number of data processing activities, e.g.:

  • Data storage through cookies

  • Data processed in the members' area of your website

  • Making a purchase from an online store

  • Communicating with EU citizens by texting, messaging, emails, phone, or other forms where personal data is processed

The complexity of the specifications makes it necessary to evaluate the processes and determine which measures must be implemented to be GDPR compliant.

Privacy Management Systems

Data protection management systems help to meet these requirements.

The implementation of an appropriate privacy management system is based on the data protection requirements of the organizational structure and the data processing activities. The configuration of the corresponding systems is very different and is primarily determined by the sensitivity, amount, and type of data processing as well as regulatory requirements. In addition, the regulations of these processes can vary from state to state.

 

You can find additional information about understanding the GDPR, the 7 principles of the GDPR, lawful bases of processing, data protection by design, GDPR compliance, data processing, website compliance, privacy policy, cookies, consent management, the territorial scope, user rights, data protection officer (DPO) and a lot more in my Blog article series - Dealing with the GDPR. Below you find an overview of the articles:

Dealing with the GDPR - Part 1 -
Understanding the GDPR

Link to full article

First, it is important to understand why you have to observe the GDPR (General Data Protection Regulation) at all, how that helps you to implement the GDPR and what the meaning of this data protection directive is. The General Data Protection Regulation is a European data protection law which defines in what way and how specific categories of personal data may be processed. It applies to all data processing operations by European persons or data processing operations conducted in Europe. The territorial principle therefore also affects companies that are not based in Europe – so even if the companies are not settled in a member state of Europe. Example: Territorial scope An American company processes data - personal information - from European individuals outside of Europe. The company must comply with the GDPR. A Canadian company evaluates data from European individuals. The company must comply with the GDPR. A company in Asia, Africa or America performs software and cloud maintenance work for another company that stores and evaluates data from Europeans. The European company must ensure that the third party (in this example the maintenance company) operates at the level of the GDPR. The GDPR therefore not only affects Europe, but also goes beyond European borders. Penalties and fines when breaking this data protection act The penalties of the GDPR are intended to function as a deterrent and are therefore extremely high. They can amount to up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. The amount of these fines is influenced by the type, amount and duration of the violations as well as a variety of other aspects. But even lower penalties often range from $25,000 to $100,000. Accountability Since you as an entrepreneur have an accountability, you should always be able to answer the following questions, for example: Are my customers data stored securely? Am I even entitled to conduct the data processing that I undertake? Do I have to designate a data protection officer and how is my data protection management system structured? Why am I allowed to process data in the US without a valid Privacy Shield? Do I manage my customers consent and can I prove this? What technical and organizational measures do I use to ensure an appropriate level of protection for the processing of the data. Do the used measures correspond to the current state of the art? If there is a data breach and customers complain about your business to the relevant regulator - the controller -, you can expect these or comparable questions. Controller Is there only one controller or are there many controllers. From the point of view of the GDPR, the question of who is responsible can be solved relatively easily. The person responsible is defined in Article 4 of the General Data Protection Regulation. Art. 4 (7) - Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Dealing with the GDPR - Part 2 -
Data Processing & GDPR Compliance

Link to full article

In this article, we are going to take a deep dive into personal data, data processing, data protection, and how process management may help you to achieve GDPR compliance (GDPR = General Data Protection Regulation). Let’s first take a look at personal data from the GDPR perspective. Definition (GDPR article 4) Personal data or customer data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. What Kind of Personal Data Do You Process in Your Data Warehouse? First of all, there is personal information like name, address, nationality, gender, date of birth, social security number (SSN), checking account information, credit & debit card information … Then, you are processing personal information related to contracts: contract number, invoices, billing statements, begin & end of the contract, people involved in the contract, shipping address, billing address … Furthermore, you are processing digital information. For example: IP address, browser information, hardware information, payment information, e-mail, social media profiles, locations … And perhaps, you are also processing sensitive data (GDPR article 9 - special categories of personal data) like:

Dealing with the GDPR Part 3 - Website, Privacy Policy, Cookies & Consent Management

Link to full article

Today, I'd like to talk to you about the following topics; your website as a professional online presence, your privacy policy and why it is important for internet users, your cookies and when you need the consent of the visitor, and your consent management and why it is so important for your business. Your Website As a Professional Online Presence If you google that heading, you will find information about "How to hire professionals for building your website", "Why your online presence matters", "How to brand yourself or how to create content", or "How to improve your website strategically". Furthermore, you can find a lot of online generators for building up your privacy policy, if you google "website and privacy policy". But Why Is It Necessary to Have a Privacy Policy on Your Website? If you are the owner of an internet domain, then your site will normally consist of different web pages. Nowadays, it is typical that your website or the cookies that you use on your own website collect sensitive personal data. That also means that you need to have a legal base to collect information and that you are affected by different data protection laws. Do you think that your website isn't collecting data? Did you just use a website builder? Perhaps you are only creating web content, or you didn't add advanced functionality? In all of these cases it is your responsibility to comply with the specific data protection regulations. If you fail, there is a high risk of being penalized. And it won't help you to ignore the facts. You’re still responsible and accountable. So, keep in mind that it is normal that a website collects data. Examples For Data Collection •Data hosting by an external company •The use of plugins •Social media buttons on your website •Analytics tools Furthermore, it is very important to understand that you need to consider the location of your customers. In reality, it is not the location of the business but rather the location of the customers that matters. So, keep always in mind that data protection regulations often have a territorial scope. Your business is based in the US, and you trade your goods both in the US and with customers in Europe? For customers who live in Europe, you MUST observe the requirements of the GDPR (Territorial scope principle - GDPR Art. 3 No. 2).

Dealing with the GDPR - Part 4 - Article 32 and technical and organizational measures

Link to full article

The heading of Article 32 is "Security of processing". When talking about the security of processing we have to focus on security measures and technical and organizational measures. But let's start with the security of processing. Security of processing When dealing with security measures, we must always look to Article 24 and Article 32 GDPR. Article 24 obliges you as the controller to implement appropriate technical and organizational measures to ensure and be able to provide evidence that the processing is in accordance with the GDPR. Art. 24 thus specifies the implementation of the 7 principles of Article 5. Article 32 specifies this obligation in more detail with regard to compliance with data security. It is your obligation as the person responsible, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk [...] to take appropriate technical and organizational measures to to ensure a level of protection appropriate to the risk. In summary, it can be said that you have to take appropriate technical and organizational measures that guarantee a level of protection that ensures that you process data in accordance with the GDPR and exclude risks as far as possible. Technical and organizational measures Before we start talking about typical data protection risks and the GDPR requirements I like to give you an overview of the technical measures and the organizational measures. We can read in Article 32 and in Recital 78 what is necessary to meet the requirements of the General data protection regulation. Recital 78 states that "Such measures could consist, inter alia, of minimizing the processing of personal data, pseudonymizing personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features." Technical measures Pseudonymization and encryption Article 32 points out that pseudonymization and encryption of personal data are appropriate security measures that help to ensure compliance. But it is necessary to implement technical measures on different levels. Pseudonymization can be implemented by replacing user-related data by random codes. You can use encryption by using Hard disk encryption or cloud solution with encryption. Let's look a little bit deeper into other technical measures that help you to protect personal data and achieve GDPR compliance step by step. Keep also always in mind that will need a set of technical measures to reach a good level of data security. Firewalls A firewall is a protective technology that separates network areas from each other. In practice, this usually means that it tracks incoming and outgoing data packets. It regulates that these data packets are only sent in and out at the points where they are allowed to do so. The firewall works according to previously defined rules to open, block and monitor the inputs and outputs (ports) appropriately. The use of a firewall is an important building block in a security concept. Protocols (Log Files) Logs files are used to check data processing that took place in the past. They are necessary to meet the accountability requirements of Article 5. Logs record, for example, who has performed which activity in relation to which data at a specific time or who sent which data to whom at a specific time. Logs help with subsequent checks. Protocols are usually created automatically (“logs”). Logs can contain a variety of information, such as information from systems, services, programs, video recordings of activities in server rooms, or file entries at the technical level.

Dealing with the GDPR - Part 5 - Why do I have to care about the data processing of EU Citizens?

Link to full article

Imagine the following situation: Your business is based in the US and you trade your goods both in the US and with customers in Europe. For customers who live in Europe, you must observe the requirements of the GDPR (Territorial scope principle - GDPR Art. 3 No. 2). If you don't do this, it can lead to high fines - "... up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher." (Art. 83, No 6 GDPR) The Territorial scope principle regulates that the GDPR applies, if you process data from a person who lives in Europe. Article 4 of the GDPR regulates what is exactly meant by data. I linked the page here. The GDPR includes a variety of requirements that you must implement, such as • Purpose limitation of data processing • Minimization of data processing • Accountability • Different types of legality • Conditions for consent to data processing • What rights the data subjects have and how you have to implement this • Information obligations for data processing • Which information rights the data subject has • Different specifications for ensuring data protection • …

Dealing with the GDPR - Part 6 - Website Compliance Checklist

Link to full article

In many cases, your company will receive data through your own website, for example when your clients are buying products in your online store, updates their data in the members area, or a customer sends you a message to get in touch with you. In all these situations, data is processed through your website and if you have customers from Europe, then your website must comply with the General Data Protection Regulation (GDPR). Therefore, it is important that you ensure data privacy. Due to that you need knowledge about the GDPR and you must have the resources for compliance in your organization. I created this checklist to give you an overview of the tasks you should carry out to make your website compliant and your to take a step on your way to GDPR Compliance. If you have any questions, please send me an email to harald@griffox.com. 1. What data is stored by your website? The GDPR obliges you to be accountable for complying with the requirements. Of course, this means that you must know what data you have, who has access to this data, where this data is stored, for what purpose this data was stored, and who your business processes are working. You should be able to answer the following questions, as it is not enough to know that you have stored your clients data somewhere in a cloud storage. Due to the fact that cloud storages can be almost anywhere in the world, it can be a little bit complicated sometimes to know exactly where you data is stored. Let's talk about at an example before we take a look to some questions. Imagine the following situation: a customer is buying products from you for many years. He always pays in a timely manner and he put his data in your members account. He uses your social media buttons from time to time and he is reacting to your sales advertisements. But he lives in France. Do you know exactly the purpose for which his data were originally collected? Data processing in relation to the GDPR means that it is designated for a particular purpose. If your customers are living somewhere in Europe then you have to comply to the GDPR. Accordingly, you can only process data for the purpose for which it was originally collected. Questions •What personal data did you process and store? •Which persons or third parties have access to this data? •Do you control the processing of the data and how do you document this check? •How do you document the purpose of data storage? •On what basis does the data processing take place (contract, consent, ...) •Where exactly do you store the personal data? •How long do you store data? At what intervals do you perform data deletion? •Does your website collect personal information from minors (under the age of 16)? •Do you process special categories of personal data according to Article 9 GDPR (basic and ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the unique identification of a natural person, health data or data on sex life or the sexual orientation of a natural person)? 2. How do you secure your website? A website is your professional online presence and it is of particular importance that you take care of the security of your site and that the site is protected against attacks. And you should also be aware that a specific page of your website can contain several business processes. The GDPR also obliges you to ensure that you implement appropriate measures that guarantee the security of your data processing. The GDPR generally refers to the current state of the art. This means that you must focus on the current state of the art, which is generally recognized. You can read about this in Article 25 and Recital 78. Questions •Have you installed an SSL certificate that encrypts all information exchanged between the website and the server? •Do you use strong passwordsfor administrator accounts? •How do you protect your website against DDoS attacks? •Do you use pseudonymization, anonymization and encryption measures to protect the stored data? •Do you have a data storage concept that ensures that you store backups in different locations? •Do you observe the principles of storage limitation and data minimization? 3. Your Privacy Policy The GDPR requires you to have a privacy policy. This is because Article 13 GDPR stipulates that the website owner must inform the user at the time of data processing about the purposes and legal basis for data processing. The privacy policy must also outline the rights of the user. In addition, it is important that you write the policy in clear and understandable language and that the privacy policy is placed in a way that the customer can easily find and access it The following list which is also part of my blog article Dealing with the GDPR - Part 3 - Website, Privacy Policy, Cookies & Consent Management will help you to check if your privacy policy is containing all necessary aspects. Questions •Which information’s are collected from users or from other sources? •How do you process data?How and why do you gather that data? •What are the lawful bases of data processing? •How do you use it?

Privacy Certification

My core competence is in the GDPR, which applies when you process personal data of customers from the EU.

As a certified data protection officer and certified data protection auditor, I have extensive knowledge in the field of data protection and information security.

 

I have worked continuously since 2015 in the areas of data protection, auditing, and compliance, leading these departments and ensuring that the relevant companies were able to achieve GDPR compliance.

In addition, I have extensive knowledge in the areas of process analysis and process optimization. I have successfully advised the departments of marketing, sales, IT, customer service, product development and data science at my previous employers on all questions of data protection and the review of digital processes.

I am also happy to work for you to make your processes GDPR compliant and to ensure that you are not threatened with fines.

I can provide the following services:

  • GDPR readiness assessment including gap analysis

  • GDPR awareness training

  • Implementation of data privacy best practices

  • Integration of privacy by design & privacy by default principles from the earliest stages of product development

  • Advising your teams and departments for example executives, marketing, sales, customer services, IT, and business operations teams on technology-related legal, regulatory, and compliance risks

  • External Data Protection Officer (DPO)

  • Conducting data protection checks

  • Consultations on all questions related to the GDPR

  • Implementation of systems to be GDPR compliant

  • Introduction and further development of data protection management systems

  • Project planning & Implementation

  • Supervision of the implementation of your project

  • Data protection impact assessment

  • Transfer Risk Assessment

  • Website Review & App Review

  • Privacy Policy & Cookie Policy for Website and App

  • Risk Management

bottom of page