The data protection regulation upsets me
|At first I thought it would simply just go away. But it didn't go away. We all have to deal with it.|
Here's how it works. You apply for a job with me directly. I forward your application internally to the responsible department. We reject your application (which we would prefer not to do anymore, since that only leads to complaints). Then you’ll sue me in five years because a copy of your application is still in a back-up of my outbox? But you wouldn't sue me, would you? Because that would seem ridiculous to you, and because you have not been wronged.
First of all, thank you for your understanding. If you have suffered any damages because I inappropriately handled your data, then by all means, sue me. But as a result of a new data privacy regulation, there will soon be an authority that will check for days at a time every year to see if we correctly handled your application (and other data), or if perhaps there was some wrongdoing? And the auditors will additionally check this, as well as the employer's liability association, oh and also the social authorities, because an application document could "almost" be an employee document, so you will simply declare yourself responsible.
And as always, if the EU introduces an exaggerated regulation which in practice does not interest anyone in many countries (have a look at Austria, who already announced they will not prosecute violations), Germany will, of course, create a wonderful agency which will further limits our competitiveness. Just like in Germany will you find roughly 8 authorities and associations who check every year if our fire extinguishers are hanging properly. The nationwide additional fire burden due to the wasted paper of this auditor is likely to exceed the fire protection effect of these measures - and whether more people can be rescued by a properly hung extinguisher than die in car accidents while performing these checks, should urgently be clarified.
I am also sure that more roofers fall from a roof and die during routine inspections of lightning protection devices, than people in office buildings who get hurt as a result of lightning strikes. But if the government does not require the inspection, then the insurance company will. Working in the background here as well are various other authorities, who could also attract lightning in case they get bored.
Back to privacy: Please keep calm, because it is not even clear who can take measures against whom and when. I can only delete a customer record once the retention period of the tax office has expired. Wait until the first time a tax office accuses a company of having deleted the data so precisely on the same day just to avoid further inquiries. What happens to liability processes that sometimes require older data? Like, what if my landlord now throws away my private lease for my flat from 20 years ago for safety's sake, even though I would like to have a copy, because I have to prove my whereabouts since my birth (without any gaps) for a move to Timbuktu (where there is no privacy regulation)?
So in the end it all comes down to the personal assessment which law is to be valued higher, and then in the courts. The deadline by which you must take action is 25 May. But that does not mean that you must have implemented measures by then. I guess a little patience could defuse the workload. Anyway, you should confidently ignore all e-mails from business consultants and law firms, as well as newspaper articles, that say "Your company could be fined millions if ...". Scare tactics do not help. No, I am not panicking, I'm just upset.
You also have to ensure that your data is secured sustainably long-term. Just how do you do that? What If I would know that, thanks to scientific prognoses, the first quantum computers will hit the market in three years, and there is no encryption software elsewhere that can save my data from this computing power? Then I act against my better judgement if I only put my data (encrypted) in a cloud.
Incidentally, Jarltech does not buy or sell any data, and we do not store any data in any cloud that does not belong to us and is completely controlled by us. The legitimate and meaningful exchange of data is, by the way, covered by the regulation - for example, for the transfer of data to a tax consultant or to a factoring bank. That is the interpretation so far. So if I let "common sense” prevail, then I am doing everything right. The fact that I have to keep people busy for three days a year to document something that is logical anyway does not make it any easier.
It remains that only the state may (not theoretically, but practically) store and evaluate what it wants and when it wants. When will the tax office comment on how it is actually secured, to compare my data with "industry data" or why you have to get the complete accounting data transferred if you just want to "check" something? That worked for 100 years with random samples. They want to have the data simply because it exists! Isn’t that enough for reasonable suspicion? Why does my data need to be stored after a tax audit? And how much compensation can I get if my auditor drops a USB Flash drive with all my corporate data out of the car at full speed right in front of the headquarters of one of my so highly valued competitors?
I would like to have a data privacy regulation that protects end users and companies, implemented equally in all EU countries and treated in court as well as with the state and its institutions. And not such half-baked crap that probably will not trigger a single spam e-mail or a single change in Facebook & Co's behavior. Wasn’t that the point?