Privacy Cramp: Fear of the GDPR
I often hear the following comments about the GDPR:
Nothing is allowed anymore by the AVG.
Let’s ask for explicit permission, then we are always safe.
If we do something wrong, we will be fined 20 million.
Companies and their employees are shot by this attitude in the “ privacy cramp ” they freeze.
False Expertise
The most dangerous is to think that after a 3-7 day course one understands and can interpret the GDPR ( see law ) properly. This also applies to lawyers who of course do not know all the laws and have just scanned the GDPR.
Own interpretation
Very dangerous if you do not know where the clapper is. The GDPR is an interpretation law. So companies can decide for themselves how they handle personal data. As long as it is transparent, proper and legal.
Distressing
Michael P. was asked for permission to forward his file!
Nonsense of course, there are 6 legal bases and permission should not have been requested at all. On the grounds of public interest (Art.6e) or legitimate interest (Art.6f), authorities could simply have exchanged the medical file.
No Privacy policy
The GDPR is a best effort law, you must demonstrate that thought has been given to how personal data is handled. How have you organized privacy management, what procedures are there, which guidelines should be adhered to?
Ignorance
So if there is no privacy policy, employees will not know where they stand. You cannot make them aware and they will do something themselves.
Administration
The basis will always be that you as an entrepreneur must write down what you do with personal data. The privacy accounts must be in order so that you demonstrably comply and the authority can come by. Start your privacy administration here
Massage away cramps
Structure your approach:
- Know what you do, why you do it and on what basis.
- Know where the risks are legal, organizational and technical.
- Know what appropriate measures you have or will take.
- Organize privacy management.