EU General Data Protection Regulation: more bureaucracy, high penalties, new opportunities

  • High penalties make handling data correctly a question of existence
  • Future data protection solutions must already be considered in software programming
  • Correct implementation of the new rules can also become an important competitive advantage

Little more than six months before the EU General Data Protection Regulation (EU GDPR) is to undergo binding implementation beginning in May 2018, preparations for the new regulations are often at an early stage in Austrian companies, if they have even begun. “While leading Austrian companies are much further along than the average of Austrian businesses when it comes to drafting EU GDPR-compliant structures and processes, even in model companies there is still plenty to be done”, Leitbetriebe Austria Managing Director Monica Rintersbacher explains in a business talk on the EU GDPR organised by platform of excellence Leitbetriebe Austria together with network partner and host Binder Grösswang Rechtsanwälte and the software company datamill. “The significant widening of the range of financial penalties can make violations of data protection regulations a matter of survival, so there is a truly urgent need for action”, Rintersbacher says.

Few changes in principles, but extensive administrative requirements
In many areas, specifically in handling customer data, the EU GDPR will bring changes in material terms, though not that many. “Those who already comply with all of the data protection regulations will not have any major problems implementing the regulation”, says data protection expert Angelika Pallwein-Prettner, partner at Binder Grösswang Rechtsanwälte. “What is really new are the extensive documentation requirements for all forms of data processing in the company and, above all, the level of penalties. For example, the maximum penalty for violations has been increased nearly a thousand-fold and is now EUR 20 million.

The primary impacts are in the area of employee data protection. “With EU GDPR applicability, the subject of employee data protection will gain considerably in importance within companies. This issue is not uniformly regulated by the EU GDPR, rather various national regulations shall continue to apply in the future. These, however, will be penalised with significant European fines. In this area Austrian law stipulates strong co-determination rights for works councils, so a good cooperation between companies and employee representatives is of utmost importance”, Pallwein-Prettner explains.

Not just a burden, but a chance for a new quality of customer relations
Thiemo Sammern, managing partner at the Salzburg-based Methis Software, advises companies to also see the positive aspects despite all of the added requirements. “The EU GDPR should be perceived not only as a burden, but also as an opportunity. For example, even the required clean-up of data sets can noticeably boost marketing efficiency, as only correct data are good data. Moreover, if the principle of “privacy by design”, i.e. already implementing all of the data protection measures in the conceptualisation of new data applications, is put into practice, this can become a starting point for a new kind of responsible and transparent communication between the company and its customers and employees. This and consistently implemented technical measures for correctly processing personal data and for guaranteeing the accuracy of content offer companies a feature that sets themselves off from the competition. In addition, it enables the optimisation and restructuring of one’s own business processes”.

Significantly rising costs for data protection
Christian Kren, managing director of IS Inkasso Service, a company that inevitably works with large quantities of data, is more skeptical. “Compliance with the new regulations will require considerable investments in new software and then long-term higher costs for monitoring and implementing all of the data protection regulations. To some extent there will also be a balancing act between storage requirements and the obligation to delete data, which will impair working efficiency and, consequently, increase the costs for a large number of services”. However, Mr Kren does not expect the biggest problems at those companies where, as at IS Inkasso, data utilisation and processing are the core business: “Additional costs will incur in these companies, but they will be able to meet the new requirements. Many SMEs will find it much more difficult to manage their customer data”.

Leitbetriebe Austria Managing Director Rintersbacher nevertheless points to the positive side of the EU GDPR: “Leading companies and basically every company of course would wish for less bureaucracy, but the regulation also contains many quite reasonable provisions. Those who take the EU GDPR’s entry into force as an opportunity to extensively modernise their company’s data processing will not only meet the new regulations, but will also boost their efficiency significantly. The new EU provisions should be regarded as an incentive to add momentum to the modernisation of such important areas of work as IT, customer management and employee management, from which the company itself can benefit in the long term”.

Copyright: Sabine Klimpt