The five most common data protection misconceptions

Error 1: "Companies that do not have to appoint a data protection officer do not have to implement data protection.

In Germany, companies with 10 or more employees that regularly process personal data must appoint a data protection officer. As a result, smaller companies in particular, with a workforce of less than 10 employees, are faced with the question of the extent to which they have to comply with the data protection regulations. GDPR have to implement. In principle, the General Data Protection Regulation applies equally to all companies in Europe. However, relief for small companies could be possible in the future, as the GDPR contains a recital in this regard. However, there is not yet an agreed opinion on this by the German supervisory authorities. As a result, every company that processes personal data, regardless of the number of employees, must implement the guidelines of the GDPR.

Error 2: "Data protection measures only have to be implemented once and are then finished.

Some entrepreneurs are of the opinion that the implementation of data protection can be done by a one-time action. This view is wrong, because the implementation of data protection is a continuous process. This process aims to achieve a high level of data protection through organizational and technical frameworks. Data protection and data security. Changes in the law or in the company make a regular review of data protection necessary.

Organisational framework conditions are, for example, the establishment of a corresponding data protection organisation, the keeping of a register of processing activities or the sensitisation of employees to data protection issues. It is also important to keep an eye on data protection across the company by concluding contract processing agreements with suppliers and business partners. The technical framework includes, for example, ensuring the processing of data by creating backups.

Misconception 3: "Data protection only makes work, but does not create any benefit for the company".

According to a survey conducted by Bitkom in September 2018, many companies believe that data protection complicates and slows down many business processes. Especially since there is a lack of legal certainty in companies on many detailed data protection issues. However, the GDPR also many topics clearly. If these topics are optimized in the company in accordance with the GDPR, processes such as document processing are accelerated. Another example is the systematic destruction of personal data. The reduction of the amount of collected data as well as the confidential treatment of these brings benefits for customers, employees and the company itself.

Error 4: "I am no longer allowed to process data, customers and employees must consent to every processing operation."

For standard business processes, companies repeatedly require the consent of their customers. For some of these processes, however, customer consent is not required. In at least 95 % of the cases, there is a legal basis that permits the processing of personal data. As a basis for deciding whether consent is necessary or not, companies can use Article 6 1 b) or 1 f) of the GDPR as a guide. If the facts of the case do not apply, companies must examine whether the data subject wishes to give his or her consent to data processing.

Mistake 5: "Privacy has nothing to do with me, I'm too small for that."

Again and again, small businesses think the Data protection is not relevant for them. To illustrate the extent to which data protection is important even for small companies, here is an example:

According to the GDPR, a hearing aid acoustician with a small laboratory and 5 employees does not need to appoint a data protection officer. He may be of the opinion that "data protection is not relevant for me". On the basis of the following questions it becomes clear that this is a mistake:

1. Are there any members of the public among his clients?
2. Are they possibly in an age group where it is unusual to wear hearing aids?
3. To what extent is the hearing care professional confident and can guarantee that this information will not be passed on to third parties by their employees?

If such confidential information becomes public, the hearing care professional's reputation may be damaged. There are disadvantages in direct competition with other providers. By sensitizing his employees, the hearing care professional can educate and ensure that his employees keep information confidential.