General Data Protection Regulation: you have to act!
The EU General Data Protection Regulation entered into force on 25 May 2018. It imposes heavy fines for non-observance. Companies have to act.
The free and certifiable VdS guidelines are helpful for small companies in particular - of which there are many in the lift sector. The EU General Data Protection Regulation (GDPR) regulates the processing of personal data for every company and authority throughout Europe - and has to have been implemented in full by 25 May 2018.
The effects of the 300-page regulation on the organisation and IT of small and medium companies in particular (SMEs), which are also disproportionately present in the lift sector, will be extremely far-reaching. From 25 May, fines of up to four percent of the worldwide turnover loom in the event of contraventions. In short, companies have to act.
Undoubtedly the most important new feature is the so-called accountability obligation. Every company must be able to prove in full at all times that all requirements of the GDPR are being observed. This even applies to every one-man lift technician company, which has stored the contact data of a contact at a customer or the data of another one-man company with which it cooperates.
The requirement can only be implemented in one way: setting up a data protection management system. This is a guidance system, not a technical aid – but it can be mapped by one. What is necessary from the reference date is a regulatory framework with clearly-defined guidelines, processes, roles and responsibilities and clear control mechanisms, with auditable documentation and clear communication rules.
On 32 pages: precise GDPR guideline for practical use
The 300-page demands of the GDPR are translated into practical requirements by the compact VdS 10010 guidelines. Clearly-defined roles and responsibilities are prescribed on 32 pages for meeting the EU guidelines. In general, the guidelines are addressed to the company management, since data protection is the responsibility of those in charge – and by no means, as sometimes assumed, a purely IT matter.
In specific terms, if the company is obliged to appoint a data protection officer, the latter bears the central responsibility for implementing the required GDPR level. He is the central contact for all matters relating to the subject, advises management and colleagues and people, employees and higher regulatory bodies affected turn to him. The data protection officer monitors the observance of the EU regulations.
Call in qualified service providers
VdS 10010 makes provisions for a data protection manager to support the data protection officer. The former implements the data protection management system in detail and initiates, plans and controls its implementation. He is supported in doing so by a data protection team.
This is a committee, which apart from a representative of the company management and data protection officer/or data protection manager, consists of IT managers and employee representatives. It can also make sense if representatives of the legal, personnel, finance and other operational units take part.
If supporting expertise is required at smaller companies, they should call in qualified service providers. The first data protection management system consultants especially trained and certified for this by the VdS could assist here.
Important for users: clear structure of the guidelines
The language of VdS 10010 is clear and unambiguous. For example, mandatory requirements are always indicated with "MUST" in capitals. Points marked with "SHOULD" indicate recommendations, which for example are not relevant to a desired certification (which VdS also offers).
In addition, the free quick check with which data protection officers (not just from the lift industry) can determine the individual implementation status in their company and also obtain first direct optimisation aids as well, is very useful: https://www.vds-quick-check.de/en
Christian Schottmüller is Cooperation Manager of the Cyber Security Department at VdS, Europe’s biggest institute for security.