Wednesday, May 25, 2016

EU General Data Protection Regulation Comes Into Force on May 24, 2016

The new EU law combines data privacy with data security - in future, companies need to prove organizational and technical protection measures for personal data. 



Markus Robin, General Manager SEC Consult: "Data privacy needs data security. With the new EU regulation IT-security finally plays a big role in data protection. Due to Germany's IT security law it already has a quite high protection level in critical infrastructure companies - but now all of Europe’s economy is asked to follow. Other European countries like Austria whose starting point is from a lower cyber-security-/privacy-level will have to step up their game pretty fast. For affected companies this means: Start as soon as possible with your risk analysis and prepare an implementation plan - because the two year realization period is shorter than you expect.”

With yesterday the new EU general data protection regulation came into force. The objective is to set a high and unified data protection for the whole European Union. Affected are all companies, that process personal data from EU-citizens - therefore international data-giants as Google, Facebook & Co. are regulated by this law as well. Next to data protection issues like the "Right to be forgotten"-principle, the new regulation emphasizes the importance of data security. From May 25, 2018 all affected companies and their applications need to prove and document organizational and technical protection measures regarding personal data. In case of violation, the penalty will be measured by the preparations the respective company took, but can also lead up to 20 million Euro or four percent of the worldwide prior-year-sales.


Given the short realization period of just two years, SEC Consult recommends:


1. Start a Risk Analysis and Prepare an Implementation Plan – NOW!


Companies should start to deal with the new organizational and technical legal requirements as soon as possible. First to budget possible financial investments and second to have enough time for the implementation. "The very first step needs to be a comprehensive analysis. What kind of personal data do you have and how are they classified? How high is the risk? Which protection measures are already implemented? Using these answers we are able to derive necessary actions", says Markus Robin.


2. Find an Implementation-Partner


"The new penalty height corresponds to several annual IT-budgets - negligence can't be settled out of the petty cash anymore. For a gapless implementation of the needed requirements companies should find legal and security assistance from experts", Robin advices. SEC Consult itself works closely with lawyers and offers comprehensive consultation next to informative risk analysis as well as implementation of security measures.

Find out more about the EU general data protection regulation and contact us for an appointment: send an email to office@sec-consult.com or use our international contact details


Facts & Figures // EU General Data Protection Regulation


  • Is part of the EU data privacy reform
  • Came into force on May 24, 2016
  • Validity with May 25, 2018 (two year realisation period)
  • Objective: Standardization of a high data protection level for the whole European Union
  • All companies are affected, that process personal data from EU-citizens - therefore international data-giants as Google, Facebook & Co. are also regulated by this law
  • Companies must meet organizational and technical protection measures in the areas of privacy and data security - proven and documented
  • Companies need to have a "risk-accurate protection level" 
  • Massive penalty-increase: depending on the violation up to 20 million Euro or four percent of the prior-year-sales; but penalty will be measured by the preparations the respective company took