GDPR: Why companies may be afraid of article 32

On May 25th this year, the new General Data Protection Regulation (GDPR) of the European Union comes into force – a fundamental innovation that poses major challenges for companies in all sectors. Wolfgang Heinhaus, Partner Advisor at Information Services Group, drew up the most important aspects for MyBusinessFuture that companies should now focus on.

The main Challenges that Companies face now

What must companies pay attention to in the last few weeks before the GDPR? Wolfgang Heinhaus sees the 32nd article of the ordinance as a particularly elementary regulation: It obliges companies to protect their personal data in accordance with the technical state of the art – and the technical state of the art has meanwhile reached a level of complexity that many internal privacy directives do not live up to.Mainly, most companies will need to focus on keeping data safer and up to the new standards.

In order to reliably guarantee the latter, an exact inventory would suggest itself: regarding how and where personal data is stored, how the access rights are organized and logged, and which encryption and other security measures have already been installed.


Only then measures to prevent possible violations of the regulation can be taken. In doing so, a suitable methodology should be the focus: “The protection can only be realized with appropriate technologies, capable of promptly detecting and alerting any data protection violations, automatically remedying problems, and providing opportunities for investigation”, says the ISG-expert.

Therefore, Heinhaus recommends companies that have not yet started the implementation of the new standards to hire external consultants to “locate and adequately address the weaknesses in the business”, thereby avoiding shortcomings.

The GDPR in a nutshell

The 99 articles of the regulation, which will apply in all EU Member States, set out basic data protection rights. The rules concern the collection, storage, processing and general use of personal data of EU citizens and must be respected by all companies operating in the EU, regardless of their size or the type of storage of the data.

A Data Protection Officer should be designated to monitor compliance with the GDPR; any data breaches that occur are to be reported to the customers and the supervisory authority within three days. In the case of violations of the templates, fines of up to four percent of the international sales of the previous year, but in any case up to 20 million euros, are due.


This is maybe the best reason to not underestimate the explosiveness of the regulation and to initiate corresponding steps on the part of the company – if not already done – as soon as possible.

This piece is partly based on an article by ISG.

Source cover image: iStock  / BirgitKorber