Laws have to be interpreted in order to be enforced in everyday situations. Group Privacy has drawn up a set of standardized rules for the Group as a whole; they are called Binding Interpretations. They were developed in collaboration with data privacy experts in the national companies. The Binding Interpretations include recommendations and best practice examples to implement the EU regulation. For example, they explain what a customer consent must entail, or how customer data has to be deleted, if this is requested by the customer. From January 2017 to May 25, 2018, the new requirements based on the Binding Interpretations were introduced throughout the Group. This involved checking and, where necessary, adjusting all the IT systems. All employees have been informed about the GDPR and numerous training sessions have been conducted. Once implementation was complete, the monitoring phase began. Affected entities of the Group were asked whether they had implemented all relevant requirements. In addition, spot checks for compliance with the GDPR were carried out at 28 entities. They confirmed that the requirements had been implemented.
Our collaboration in the AUDITOR project is also representative of how we are dealing with the new legal conditions. The goal of the project is to develop and test EU-wide data protection certification of cloud services. In particular, its focus is on translating specifications of the GDPR into international data protection certifications.