15 years of Data Protection Day, 15 times reminding organizations across all industries and sizes about the important of data protection. Lately we’ve seen a lot of regulations like the GDPR or Schrems II, all small steps towards a proper data protection to secure personal data and give the topic the deserved recognition.
The European Convention on Data Protection was signed 40 years ago. This is why European Data Protection Day is celebrated every year on January 28. Data protection continues to pose major challenges for companies: With the ruling of the European Court of Justice in the Schrems II case, pressure is growing on small and medium-sized companies to re-evaluate their processes and procedures and adapt them to the regulations of the EU GDPR. Mareike Vogt, data protection expert at TÜV SÜD, takes a closer look at this current topic.
The EU GDPR stipulates that the transfer of personal data to a country outside the EU/EEA is only permitted, among other things, if the destination countries or organizations guarantee equivalent data protection to the European Data Protection Regulation (EU GDPR). The United States of America, for example, does not meet this requirement, which is why the EU Privacy Shield was overturned by the European Court of Justice (ECJ) in the Schrems II case. According to many experts, this was already foreseeable since the agreement was introduced. The policy’s negligence is now causing major difficulties for small and medium-sized enterprises (SMEs) in particular: They need to adapt their own processes and the software and hardware they use (for example, data centers) as quickly as possible.
New contracts or new providers?
In their day-to-day work, SMEs usually rely on software and as-a-service solutions from larger, established providers, or they adapt to the processes and requirements of their customers. To ensure that the personal data processed is protected in accordance with the ruling, all of this must now be reviewed. If SMEs have concluded standard contractual clauses as a guarantee with the service providers, it is possible that these will also be affected by Schrems II. Often, these clauses are not sufficient to protect personal data within the USA and further technical measures must be taken. In addition, an enormous amount of data, at first glance hidden behind sub-service providers, flows to the USA or is stored on servers there, even though the providers are actually a European company or have branches here. If the providers are not in a position to comply with the ruling, SMEs also have a duty to immediately look for new solutions or even provide the services themselves, for example “on premise”, e.g. via their own servers.
External help compensates for shortage of skilled workers
Many SMEs are facing major challenges as a result of Schrems II. Those who fail to comply with the EU GDPR face stiff fines and public exposure by civil organizations, such as NOYB, that are dedicated to data protection. These do not shy away from putting companies in a digital pillory. Many companies also lack the appropriate specialists to implement the demands. However, there is a simple way out of this dilemma for SMEs: independent consultants and externally appointed data protection officers are approved and not only relieve the company itself, but also guarantee an objective assessment of the situation. With their help, even small and medium-sized companies can adapt their systems and processes to the new situation without too much effort.
More Information: The Schrems II decision: a milestone for privacy?