Companies have less than six months left until compliance with the GDPR will become mandatory in all EU Member States. Data protection will then be a management task and non-compliance will be expensive. This applies to large corporations and medium-sized businesses as well as to small businesses and associations.

In some cases, processes and structures have to be adapted considerably to ensure conformity with the Regulation. Businesses had two years to prepare for the event. Now, there is not much time left. For this reason, companies and data controllers should urgently check whether they have taken the necessary measures. If this has not been done, appropriate steps must be taken as a matter of urgency.

Following the publication of a questionnaire on GDPR implementation by the Bavarian State Office for Data Protection Supervision (see our report), the supervisory authorities have now compiled suggestions for companies in a 10-point paper to prepare them for the GDPR.

Accordingly, it should first be stressed to the relevant groups within the company –management, data protection officers, and other individuals responsible for data protection – that the GDPR has a direct impact on the company as a data processor. The supervisory authorities then recommend establishing a current status. This procedure is also in line with the approach that SKW Schwarz Rechtsanwälte recommends to its clients when advising them on data protection projects.

The supervisory authorities highlight key topics of the GDPR, including the legal basis for the processing of personal data, personal data of minors, and privacy by design and by default. In addition, the supervisory authorities recommend reviewing and revising contracts, particularly those relating to order processing. It is also important for companies to properly implement the rights of data subjects and information duties. Finally, processes for data protection impact assessment, reporting and consultation requirements, and proper documentation must be implemented and organized.

Practical tip: From May 25, 2018, data controllers must comply with the GDPR. Otherwise, companies risk fines and claims for damages in the millions. The 10-point paper issued by the supervisory authorities provides companies with an overview and suggestions for preparing for the GDPR. The points addressed in the paper should be implemented as part of a project in the company within the next half year. Where this has not been done yet, companies are urgently required to start a project to implement the GDPR.