The first data protection law came into force on 1 July 1993. And a little more than 30 years later comes the comprehensive renovation. The address is still the same: like its predecessor, the totally revised Data Protection Act is abbreviated as “DSG”. On the property, however, no stone has been left unturned. The new house is bigger, has more rooms, a few winding corridors and even a dungeon (with the new penal provisions).
As a company and especially as an SME, I ask myself the question: Am I ready to move in? And what happens if I haven’t organised, labelled and packed everything by moving day?
If my SME already complies with the requirements of the European General Data Protection Regulation (“GDPR”), a large part of the work is already done. Even if not all adjustments have been completed by 1 September 2023, the necessary structures are in place. This should cover the most important risks.
If the topic of data protection has received little attention so far, there are risks, but there is also good news. Now that some projects have been completed for 1 September 2023, experts have a little more capacity again and one benefits from the experience they have gained in advising different SMEs. There are no quick, easy and at the same time cheap solutions for data protection. The process leads via an understanding of one’s own business and the data collected and needed to the best possible data protection practice. Because the requirements can sometimes be contradictory, one hundred per cent implementation is not realistically achievable.
A risk-based analysis of the need for action begins with the penal provisions contained in the new DPA. Thought must be given to how data subjects are informed about the acquisition of data. This can be done with a privacy statement, but also in other ways. Because false and incomplete information can be punishable, this must definitely be addressed.
Also central is responding to requests for information when they are received. If these requests are not taken seriously, it is bad for the reputation. But providing false or incomplete information can also be a criminal offence. Therefore, processes must be set up for these requests.
However: The mentioned transgressions are only prosecuted upon request, i.e. the persons concerned have to actively contact the prosecution authorities. As long as the SME has a good relationship with its customers, there is no immediate danger. However, if the data protection issues are not addressed, a company leaves itself open to an (avoidable) flank that will cause problems in the future.
If you have any questions in data protection law, our lawyers will be happy to advise you.