How these are interrelated – eCommerce Magazin

Data protection runs like a red thread through many topics, and it becomes particularly important in the whistleblowing system. To distinguish between data protection and compliance, you need to know the following: Compliance describes the adherence to all guidelines and laws in a company. This means that compliance managers must ensure that all business areas comply with the rules – from the recruitment processes in the HR department to expense reports in sales and compliance with the General Data Protection Regulation (GDPR) in all departments.

Management system ensures data protection and compliance

In addition to compliance with the law, structured compliance management also ensures competitive advantages. Often, larger contracts from public customers are only awarded if a corresponding management system is in place. Data protection always refers to the protection of personal data. Since May 2018, the GDPR has formed the legal basis for data protection in Europe alongside the Federal Data Protection Act (BDSG). So data protection concerns compliance. Data protection falls entirely into the area of ​​compliance, but there are also overlaps with the other compliance issues. The following two examples illustrate the difference between data protection and compliance

Technical and organizational measures (TOM)

The introduction of TOM is required at various points in the company – also in the risk area of ​​information security. The goal of information security is to protect company values ​​(assets). In contrast to data protection, the focus is not on protecting the people behind the data, but on protecting the company itself.

Although there is no defined legal framework for implementing information security, there are international standards and guidelines such as ISO 27001 that define certain requirements. These criteria include the implementation of suitable technical and organizational measures to protect information.

The GDPR contains a similar requirement (Art. 32 of the GDPR). Accordingly, TOMs must be implemented and documented with a suitable level of protection in order to protect personal data. If a company has already taken care of TOM to protect personal data, these methods can be “reused” in information security. This works best when the compliance manager and data protection officer work well together and exchange ideas (more on this later).

Data protection and compliance: Introduction of a whistleblowing system

The EU Whistleblowing Directive obliges companies in Europe to implement whistleblowing systems by the end of 2021. Even before this guideline came into force, whistleblower systems were an important component in the pillars of compliance. They are designed to ensure that compliance risks and violations are identified at an early stage through anonymous tips from so-called whistleblowers.

But that only works if the identity of the whistleblower can remain secret. This is where data protection comes into play: No matter how a company implements its whistleblower system, the personal data about the whistleblower are particularly sensitive and must therefore be particularly well protected. The compliance officer should sit down with the data protection officer and work out a sensible concept together.

Responsibilities for maintaining compliance and data protection

Compliance typically falls within the remit of a compliance team headed by a compliance officer. He takes care of compliance with all relevant laws, guidelines, ordinances and voluntary commitments. As a rule, he is also responsible for the introduction of a compliance management system and suitable software tools such as digital whistleblower systems. There are no legal requirements for training compliance officers, but most are lawyers or people with a business background. In the organizational chart, the compliance officer is usually subordinate to the management.

In contrast, the data protection officer (DPO) takes on the role of a consultant. It analyzes the current state of data security in the company and issues appropriate recommendations for action. The DSB focuses on the implementation of data protection laws (primarily in Germany the Federal Data Protection Act and the GDPR). The DPO should also be well networked, but his position is much more suitable for an external position – it can also be an independent expert.

Data protection and compliance DataGuard
The tasks of the compliance officer and the data protection officer in comparison. (Graphic: DataGuard)

Cooperation between compliance officer and data protection officer

As we have already shown using the examples of the whistleblower system and information security, data protection affects pretty much all areas of the company and also has a major impact on the structure of compliance. This means that a conscientious compliance officer always communicates with the DPO – and vice versa. Such a cooperation has many advantages:

  • Processes and methods already implemented in data protection (Keyword: TOM) can be used in other compliance areas (such as information security)
  • The compliance management system set up by the compliance officer can be an aid for the development of a data protection management system or possibly integrate this completely
  • Strong data protection measures Protect whistleblowers – a legal requirement of the Whistleblower Directive
  • Training materials can be exchanged and complemented by one another
  • Compliance with data protection laws is in the interests of both the compliance officer and the data protection officer – so any cooperation is worthwhile here

Data protection and compliance can be cleverly combined. In particular, those responsible should define and use the existing similarities in the existing management systems. In this way, legally compliant processes can be created that are also noticeable to the outside world. This results in long-term competitive advantages for companies: Customers and interested parties gain trust, and there are no fines due to data breaches or disregarded guidelines.

Also read: Privacy Shield: Working in the cloud in accordance with data protection regulations despite failure

This picture has an empty alt attribute.  The file name is dataguard-patrick-agostini.jpg

About the author: Patrick Agostini is a Privacy Consultant at DataGuard. DataGuard supports companies in the implementation of data protection-compliant processes. Agostini is a qualified lawyer (in Austria and Italy) and an international business lawyer (LL. M.) with a focus on business law and European law. As a privacy consultant at DataGuard, he mainly looks after small and medium-sized customers. Before that, he worked in Brussels as an assistant to a European parliamentarian, where he dealt with issues relating to data protection. He was able to gain further knowledge in the area of ​​compliance while working at Philips in Amsterdam, where he was responsible for the data protection-compliant handling of a global project. (sg)