General data protection regulation (GDPR)
Most people currently associate the GDPR (the EU's General Data Protection Regulation, which entered fully into force on 25 May 2018) with rules governing consent for the use of personal data and rights for data subjects, such as the ‘right to be forgotten’. Yet the GDPR also introduces obligations in respect of appropriate and state-of-the-art protection for personal data and implementation of the principle of data protection by design and by default. The necessary steps must therefore be taken to ensure compliance in this regard.
The EU's General Data Protection Regulation (GDPR) ushered in a great number of changes in the field of data protection after it took effect on 25 May 2018. These go far beyond the much-discussed changes to the consent rules for the use of personal data, or the ‘right to be forgotten’. They include general measures to prevent personal data being accessed by unauthorised users (both internally and externally). Unlike other regulations such as the German IT Security Act, every company will be affected by the GDPR and will be obliged to review – and perhaps improve – their technical data protection measures. The GDPR makes it clear that data controllers are responsible not only for the secure processing of personal data (Article 32), but also for taking appropriate steps to ensure compliance with the obligations laid out in the GDPR (Article 24) and for implementing the principle of ‘data protection by design and by default’ (Article 25). Companies must therefore take appropriate action, in most cases by deploying state-of-the-art systems.