GDPR in the pandemic - luxury or eye of the needle?

The topic of data protection, and in particular the General Data Protection Regulation, is gaining in importance for many companies in the lockdown due to the accelerated digital transformation. The use of adequate, virtual collaboration tools is increasingly becoming a decisive success factor in times of social distancing. At the same time, the legal framework is changing and becoming more stringent due to the so-called "Schrems II" ruling from July 2020 and its impact on the international data transfer that virtual collaboration entails. Companies are becoming more digital at top speed during the pandemic, but are thus once again faced with the challenge of ensuring data protection. In this situation, how can we remain capable of action and compliant with data protection at the same time, and also take all the stakeholders involved with us?

Let's be honest: the topic of data protection has been pushed into the background by many companies since the beginning of the pandemic. Yet the pandemic is THE driver of digitalisation and wherever digitalisation takes place, those responsible must ask themselves the very practical question of how to handle personal data in accordance with the law. Which collaboration tool does one use, for example, if the tools of the large US tech companies seem to be without alternative and at the same time suitable guarantees for the international transfer of data are declared illegal and invalid? This and several other challenges yield insights that are of considerable importance for data protection and can be a great learning effect for entrepreneurs.

The extensive requirements of the GDPR are not new - The years 2018-2019

Implementing the data protection requirements of the GDPR was a challenge for many companies even before the Corona pandemic. Small and medium-sized enterprises in particular lacked the resources and know-how to meet their accountability obligations under Article 5 of the GDPR by the implementation deadline of 25 May 2018.

• The management and all employees of the company had to be trained,
• the contracts with processors had to be renewed,
• the list of processing activities had to be adapted to the new requirements,
• all legal bases had to be ensured and documented,
• the obligation to inform the data subjects had to be ensured at the time of the collection of the data,
• data protection through technology design had to be carefully checked and documented, and
• adequate processes for reporting data protection breaches had to be implemented.

The introduction or readjustment of the above-mentioned measures led to a high initial effort and many companies also experienced the subsequent regular quality management and the associated processes as a very challenging task.

Due to the large number of new or stricter regulations and a significant increase in sanctions for non-compliance, the topic of the GDPR generated a lot of attention from the beginning. It met with little acceptance in many places. Fundamental debates about the appropriateness of the state regulations were the result, as the new legal situation did not always coincide with the legal perception of the top managers or the employees in charge of implementation.

The original goals of the legislator - to create a uniform, high standard of data protection throughout Europe and to strengthen the fundamental right to informational self-determination of each individual - therefore increasingly receded into the background in public reporting.

The icing on the cake: The Boom of the Cloud and the Privacy Shield - 2020-2021

After the initial implementation efforts of the companies had subsided and the topic of the GDPR had been accepted as part of normal business operations, the Covid 19 pandemic as a driver of digitalisation and new data protection requirements were added in 2020. Both presented companies with further, completely new challenges.

The home office boom

The pandemic led to a rapid increase in the home office rate and to modern collaboration tools from leading US tech companies becoming indispensable. A recent Bitkom study from December 2020 shows that in Germany, the proportion of employed people working at least partly from a home office increased dramatically in the last year of the pandemic. Whereas before the pandemic there were 6.3 million employed persons, there are now 11.5 million employees who regularly work from home and more than 10 million of them even work exclusively from their home office. As a result, providers of collaboration tools are enjoying a real boom. Microsoft, for example, was able to record a rapid increase in the monthly user numbers of Microsoft Teams from 20 to 115 million within one year. This significant increase also means that many companies now urgently need to deal with the current legal requirements regarding international data transfer.

The End of the Privacy Shield Regime

In terms of data protection law, the framework conditions regarding the lawful handling of personal data in international data transfers changed first and foremost in 2020. When personal data is transferred to a processor in a third country, it must generally be ensured in accordance with Articles 26-28 of the GDPR that an adequate level of data protection is provided by the receiving company in the third country. Especially when migrating data to the cloud, the issue of the GDPR plays a major role, as the leading cloud providers such as Microsoft, Google or Amazon are US companies. According to the GDPR, they are considered third-country providers, which complicates the examination of legal admissibility. In this case, it must be checked whether there are corresponding additional guarantees or agreements for the processing operations. Many companies had still invoked the so-called Privacy Shield until the middle of last year. This sector-specific adequacy decision was intended to ensure the conformity of US providers with European data protection law under certain circumstances and to generally allow a transfer of personal data to the USA.

The ruling of the European Court of Justice (ECJ) of 16 July 2020 ("Schrems II") declared the adequacy decision immediately invalid. This decision was due in particular to the powers of the US intelligence services and the general legal situation in the USA, which could not ensure an adequate level of data protection according to the ECJ ruling. The ECJ ruling meant that companies had to resort to other appropriate safeguards for international data transfer.

New effort due to standard contractual clauses

The so-called standard contractual clauses, which can be concluded between the companies in third countries with an insufficient level of data protection and the data transmitter in the EU, are an example of such alternatives. However, in this context, the controller must additionally check on a case-by-case basis whether the level of protection for the personal data actually corresponds to that of European legislation. Furthermore, he must take appropriate additional measures or agree on them with the data importer. This is an exhausting process that once again ties up resources and requires legal know-how.

It is not uncommon for data protection lawyers to recommend comprehensive best practice concepts in order to keep the risks of further use of controversial US provider tools as low as possible. The accountability according to Article 5 of the GDPR of the entrepreneurs is also in the foreground here. Businesses must examine on a case-by-case basis whether the use of collaboration tools from US providers is legally permissible, how the level of data protection can be increased as much as possible and how risks can be minimised.

Business owners must therefore make a decision as to whether they want to accept the existing risk of continuing to use well-known collaboration tools or whether they want to go down the path of a best practice concept that minimises risk and increases the level of data protection. In addition to a detailed risk assessment and an adaptation of the processing directory, such a best practice concept should also include a usage guideline for the employees. This should explain the data protection-friendly handling of the tools mentioned and the data protection-friendly configuration. This concerns the deactivation of data protection-critical components, information on encryption methods, the deactivation of telemetry and diagnostic data, and much more. In addition, external expert opinions can be prepared by independent data protection experts to provide additional assurance for the documentation mentioned above. Furthermore, entrepreneurs should involve the works council in the process of concept development at an early stage and implement a process to regularly review the legal framework and internal communication.

The learning effect on data protection in the pandemic: commitment and communication

After the introduction of the GDPR, many entrepreneurs had the impression that they could choose between a certain financial risk in the case of non-compliance with the regulation and a legally compliant path. If they opted for the second option, there was no way around a rather costly implementation of all data protection measures. And the adaptation of their own documentation and processes during the pandemic and after the "Schrems II" ruling also led to renewed effort, which at first glance seemed considerable.

This way of dealing in no way promises relief for entrepreneurs, quite the opposite - it requires a lot of effort and tact. From our experience, however, the rather high data protection law effort due to the current situation is not only unavoidable, but also worth it. A large part of this effort consists of stakeholder management and communication - and this can only succeed if the person responsible for data protection literally feels responsible in his or her role and acts, which is ultimately not just a question of discipline and a sense of duty, but reflects an attitude that corresponds to the modern, digital zeitgeist.

Last but not least, the careful implementation of data protection for companies is also a question of professionalism. As different as the business processes may be, in the end employee, applicant and customer data are always people's data. And this data enjoys Europe-wide protection.