EU-DSGVO and Big Data

The good news first: Even with the EU GDPR, new technologies do not have to be abandoned. However, Big Data, Industry 4.0 and AI must be planned down to the last detail from the outset in terms of international data protection law.

In particular, the new obligations regarding "privacy by design/default" and the mandatory data protection impact assessment (DFA) must be taken into account. This is because the data protection-relevant actions to which the EU GDPR applies almost always involve the collection, processing and use of personal data.

This means that the entire data processing value chain is subject to data protection laws, from generation/collection to deletion. This has been concretized and tightened with the new regulation - in particular the rights to be forgotten, data rectification, erasure, blocking and data portability, as well as the obligation to notify data protection breaches.

The documentation requirements will be significantly expanded and extended to the processor in the future. The EU GDPR also extends the applicability of EU data protection regulations to processors and their clients in third countries.

Another new aspect is that in the future, data processors can be held (jointly) liable for data protection violations in the course of their commissioned data processing. The EU GDPR affects all companies that do business from the EU or maintain business relationships in the EU or collect, process and store (have stored) their data in EU member states, i.e. also companies or organizations based outside the EU.

For the design of Big Data, AI and digitization processes, further determining principles of EU data protection law must be taken into account, namely the fundamental prohibition of data processing of personal data with reservation of permission, the purpose limitation principle and the need for justification (law, consent).

This means that using data once available for other purposes or merging data with data from other sources or any change of purpose requires a new, additional justification.

This often leads to problems in these processes, as data must be torn from its original purpose context, merged, restructured and analyzed, and thus put to new uses.

Individual consent does not appear practicable here. Consent would only be effective if it was declared on a sufficiently informed basis and complied with the provisions of the law governing general terms and conditions, in particular the transparency requirement.

Another drawback is that consent can be revoked at any time. If legal justifications are available, these should be used. Alternatively, contract management would be required to ensure that the respective data processing is necessary for the initiation and fulfillment of a contract with the data subject(s), so that an appropriate design of the contractual relationships is the second means of choice. Only if and insofar as legal justifications do not intervene should the instrument of consent be used.

Another important point is that the data is also processed securely. This requires an appropriate data protection concept that also includes data backup. Here, the backup solution should be certified for the applications, as is the case with SEP for SAP applications in particular. This ensures that the original manufacturer support is not lost.

So you can see that the new regulation is intended to provide greater protection for personal data in particular, which naturally goes hand in hand with a stricter strategic orientation for data processing. Even though it appears to be more complicated, on the other hand it means that processing of personal data is still possible. Just more carefully than has usually been the case up to now.