Company

The sword of Damocles GDPR? Interview with Jörg Hagen, data protection expert (Part 1)

Photo: Jörg Hagen

19.06.2018 - The European General Data Protection Regulation (GDPR) did not come overnight. Nevertheless, many companies experienced it like a bombshell: "Help, the new data protection. Oh dear, so many regulations! What do we have to do, what are we still allowed to do, when will we face fines?" This was the general mood in quite a few companies. Because beyond the purely factual and quite extensive data protection declarations that had to be placed on websites, there is a great need for clarification in operations - in marketing, sales and customer contact.

For example, as a potential B2B partner, what data protection explanations do I need to reel off when initiating business? "What do I do with dormant B2B contacts in my database that date back to the early stages of the new GDPR? How do I reactivate them? How do I acquire leads if I am only allowed to follow up with potential customers digitally to a very limited extent?" We explore these questions in our interview series "GDPR - sword of Damocles or added value" with the Steinbeis Group's Data Protection Officer, Dipl.-Ing. Jörg Hagen.

Mr Hagen, how did you experience 25 May 2018?

Very turbulent. Even in the countdown phase, there was a growing sense of nervousness and tension among companies. No decision-maker wanted to do anything wrong, no one wanted to risk a warning or, worse still, a fine. The European General Data Protection Regulation is complex and extensive. Much is clear, others are still up in the air. In many areas, clear guidelines for companies are still missing. For example: Where does Facebook's liability for companies begin and where does it end? In short, the GDPR still has a few pitfalls in store.

Photo: iStockphoto

Let's talk about the obvious things. Give us a few basic points to consider.

Let's start with the data protection officer. This is necessary because companies need a moderator and someone who is always up to date. Because, this is just the beginning, the GDPR will continue to develop and have an impact on business. Companies with 10 or more employees that regularly handle personal data need a data protection officer. However, not everything can be shifted onto them. They are the advisor and "advocate" for personal data. The responsibility lies with the company and the co-responsibility of the employees is also required. Careful, internal confidential handling of customer data is a must for everyone. Keep documents and data under lock and key and protect access from third parties who have nothing to do with the customer case. So also from colleagues. Lock offices where data is managed. Protect passwords. Server rooms must only be accessible to IT/admin employees..

However, not everything can be blamed on the data protection officer. They are the advisor and "advocate" for personal data. The responsibility lies with the company, and the co-responsibility of the employees is also required.

Well, these are self-evident. But how does the GDPR affect data generation, for example in customer journey marketing and lead generation?

This is a crucial issue. More creativity is required from companies here than before, as significantly stricter sanctions are to be expected with almost the same regulations. This increases the risk of entering a legal grey area in order to achieve maximum marketing success. For example, a fair exchange has often been agreed with users - downloading a white paper in exchange for an email address - and used for marketing purposes. This can be seen as unauthorised tying and is therefore no longer legitimate. Marketing must therefore find new ways of doing what is permitted - in close consultation with the data protection expert. This results in a new or intensified form of cooperation. In short, it has become much more difficult to obtain new data.

Marketing must therefore find new ways of doing what is permitted - in close consultation with the data protection expert.

What duty of disclosure do companies have towards customers and users in marketing?

In the case of interactive features, the reference to the privacy policy must be visibly placed and the user must confirm this. It must therefore always be ensured - throughout the entire process of contact and data exchange - that the customer has been informed, that they know what happens to their data (transparency), that they actively consent and that they have given permission for online dialogue (email/newsletter) in accordance with the double opt-in. They must also have the option to unsubscribe at any time and have been informed of this. The company requires written or electronic confirmation (by e-mail link) that the user agrees to receive the newsletter. A dynamic, interactive process therefore takes place between the company and the customer, which is a permanent form of legitimisation and verification of the way in which data is used.

It must therefore always be ensured - throughout the entire process of contact and data exchange - that the customer has been informed, that they know what is happening with their data (transparency), that they actively consent and that they have given permission for online dialogue (email/newsletter) in accordance with the double opt-in.

What appeals to you personally about data protection, how did you become a data protection officer?

Well, I wasn't born with the topic. I'm actually a trained architect. A profession that also involves a lot of regulations. Even back then, I recognised how important the symbiosis of creativity and compliance with certain regulations is. You can have great ideas, but they have to be compatible with building law, environmental regulations and much more. I think that today more than ever, the data protection officer can be an important source of inspiration for marketing and sales. I also see the added value for corporate divisions in this.

Mr Hagen briefly on the subject of the "sword of Damocles". Where are the biggest dangers lurking?

Firstly, the very high fines of up to 20 million euros or 4% of global group turnover - whichever is higher.
The annex as a regulation and therefore its direct application throughout the EU.
This is accompanied by the territorial principle, which means that all companies outside the EU must also comply with the GDPR if they provide goods and services directly to EU citizens.
Obligation to report data breaches within 72 hours. This means, for example, that if there is a data leak, a company must inform the supervisory authorities within just 72 hours.
I also see the reversal of the burden of proof as one of the major innovations. This means that a company must now be able to prove that it is doing everything right in terms of data protection!

 

Mr Hagen, thank you very much for the interview. We look forward to continuing our dialogue on the new General Data Protection Regulation in the coming week.

Click here to go directly to part 2 of the interview.

 

Cover photo: iStockphoto

Veronika Warmers

Responsible for marketing, social media and e-business at Steinbeis Papier. Circular economy, recycling and biodiversity are the topics close to the heart of the graduate business economist. Enthusiastic blogger for the Steinbeis editorial team.

Posts by Veronika Warmers

About the Steinbeis Papier company
Altpapieraufbereitung

For production
Wald

To the sustainability calculator
Druck- Kopierpapiersortiment

To the shop
Leider verwenden Sie einen veralteten Browser.
×
Unser Internetauftritt wurde auf Basis zeitgemäßer und sicherer Technologien entwickelt. Daher kann es bei der Nutzung eines veralteten Browsers zu Problemen bei der Darstellung und den Funktionalitäten kommen. Wir empfehlen Ihnen, einen anderen aktuellen und kostenlosen Browser zu nutzen:
Mozilla Firefox
Google Chrome
Microsoft Edge