Data Protection and Compliance

Since the new European Data Protection Regulation (GDPR) and the significant increase in fines to up to EUR 20 million or 4% of global annual turnover, risk awareness in the area of data protection has increased significantly. Every company that processes personal data in the European Union (EU) must in many cases comply with the GDPR even if it has no registered office or branch office within the EU. The GDPR is directly applicable law, but is partly supplemented by national data protection laws, through which some EU Member States have made use of the numerous open clauses of the Regulation. Understanding the data protection provisions of the GDPR and correctly mapping the extensive information and documentation obligations and the necessary processes within the company is a major challenge and requires close cooperation between the legal and compliance departments, IT, the specialist departments and external consultants. Complex data protection issues often now arise, especially with the digital transformation of many economic sectors, the increase of business and marketing models (based on data processing) as well as the use of big data or data analysis models. The corresponding legal and regulatory obligations represent a significant subset of the entirety of compliance requirements and should be on the agenda of every Chief Information Officer (CIO) and Chief Compliance Officer (CCO) today in the context of their risk and compliance activities. At the same time, the data protection supervisory authorities throughout Europe, but above all in Germany, are increasingly active and regularly check, even without cause, whether, how and to what extent the requirements of the GDPR have been implemented in certain sectors.