Implementing data security and data protection appropriately within your company is a complex task. Given the large number of data processing operations that are carried out every day at different points and the equally large number of legal rules that have to be observed, it is easy to lose track of exactly what is going on. This is why companies should opt for a comprehensive data protection management system (DPMS) to help them keep track and not risk being fined for legal violations. In this article, we will show you what is most important.
I. DPMS: A brief introduction
A DPMS is a way to centrally manage and take care of all your data protection requirements. It defines processes, determines who is responsible for what, and introduces control mechanisms. The most important processes include: maintaining records of processing activities; handling data subject requests, complaints and data protection incidents; and conducting regular staff training. As for determining who is responsible for what, it is important to clearly separate your different responsibilities at team or department level and to appoint data protection coordinators. In addition, there should always be close cooperation with the person in charge of data protection. Regular review processes and internal audits are recommended for control purposes.
Newsletter: Stay always up to date
Don’t miss any updates on data protection, information security and compliance. Subscribe to our newsletter today (only in German)!
[ctabtn target=”#newsletter” subject=”Information”]Newsletter subscription[/ctabtn]
II. Designing a DPMS
In order to be able to define a meaningful structure for your DPMS, it is first important to know what companies are generally required to do under data protection law. Any collection, use, archiving or even erasure of personal data constitutes a processing operation that must comply with the General Data Protection Regulation (GDPR). Besides defining responsibilities, legal bases or documentation practice, there are requirements such as ensuring compliance with the data protection principles of “privacy by design” and “privacy by default”, and special regulations for data transfers to third countries, for processing data on the controller’s behalf, and other scenarios. This all results in a large number of overarching goals that your DPMS should achieve – and on the basis of which your DPMS can be structured. These include in particular:
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
The many requirements can cause data protection management within your company to become highly time-consuming and tedious for the staff involved. Given that there are different tasks with different deadlines, and differently structured documents sent out to different departments, the whole affair is very prone to errors. This makes a carefully crafted DPMS all the more important.
You might also be interested in this:
Transmission of health data: pitfalls in health apps & fitness trackers
The biggest GDPR myths: the consent – what is right and what is wrong?
Handling enquiries from data subjects – what is really relevant?
III. Key content in an DPMS
One important component of any DPMS is information about records of processing activities. It also contains all the documentation necessary for accountability purposes under Art. 5(2) GDPR. But it also serves as a basis for the monitoring processes that are mandatory under Art. 32 GDPR. In addition, it contains information on the erasure concept, service provider management, on documentation of technical and/or organisational measures, on data security and data protection impact assessments (DPIAs). Other points to include in your DPMS are processes involving data subjects’ rights, data protection incidents and requests from authorities, as well as staff training.
Dealing with data subjects’ rights is another central part of a DPMS. The most important thing here is to make sure that you are guaranteeing these rights in the legally prescribed form. This includes informing data subjects in plain language about the processing of their personal data and what specific rights they have, for example the right of access or to have their data erased. In order to answer requests from data subjects in full and on time, companies need to set up an effective system that includes a whole host of factors, such as who is responsible and who to contact, appropriate tools for answering or forwarding requests, as well as erasure and deadline management systems.
Finally, it is crucial to react properly to data breaches. Under the GDPR, breaches must be reported to the supervisory authority within 72 hours at the latest, and in the case of a particularly high risk, also to the data subjects themselves. A complete DPMS therefore also includes processes for dealing with data breaches and reporting obligations. Your staff need to know the potential scenarios in which data breaches may occur and how to report them.
This does not mean simply drawing up a list, but regularly reviewing and updating that list is crucial to ensure a functioning DPMS and also to comply with accountability requirements under data protection law.
IV. The PDCA cycle
When it comes to implementation, it is advisable to apply a four-phase PDCA cycle (Plan Do Check Act), which is highly suitable for a DPMS and can therefore also be found in the standard data protection model. It consists of four phases that are repeated with the aim of continuously learning and improving. The first step should be to obtain an overview of all processes which involve processing personal data. Subsequently, compliance with the data protection requirements is reviewed. It is not only important to record individual data breaches that have already occurred: according to a risk-based approach, the respective processes in the company also need to be evaluated with regard to the potential risk of data breaches. In the case of a high risk, you should then set about using the results obtained and taking action to improve the situation even before a breach occurs. For example, measures can be taken to implement data protection principles such as data minimisation or to ensure the fulfilment of data subjects’ rights. It is also important to ensure that the DPMS integrates well with existing systems and processes. This results in the following verification phases within the PDCA cycle:
- Plan: Planning, specification, documentation
- Do: Implementation, logging
- Check: Check, audit, assessment
- Act: Improvement.
V. What else belongs to a DPMS
One of the advantages of a DPMS is that it can employ uniform documentation. This makes it easy to set deadlines and priorities and to send notifications or reminders early on. Through change management, adjustments can be made quickly to different documentation such as the records of processing activities or a DPIA, while the documents remain synchronised and up to date. The DPMS can also be used to carry out comprehensive compliance checks and risk analyses. In addition, a DPMS is a good way to work on data protection in a team. With responsibilities clearly distributed, direct communication channels and uniform documentation, misunderstandings and additional work can be prevented. A digital DPMS is not a must, but an advantage. This offers a central database as the basis for all requirements under data protection law, which your staff can access via a user-friendly dashboard depending on their responsibilities. In addition, communication among each other can be made easier with task assignment or comment functions.
A DPMS makes it much easier to comply with data protection obligations. Documenting and reviewing the GDPR requirements promotes clarity and helps avoid data breaches while reducing time and effort. A good DPMS also enables you to react quickly to changes. Constantly reviewing the data protection standard and the possibility of flexible adjustments ensure that all measures always remain up to date. Dedicated DPMS software can make things even more straightforward, as it lets you centralise and automate data protection throughout your company. In the long term, this can be a way of improving processes as a whole and not only in the area of data protection. Companies that want to implement a DPMS should be guided by the requirements of the GDPR and use the records of processing activities as a basis for creating a suitable, comprehensive system.
Please contact us if you need advice on DPMS.