Data Protection Management Systems: With these DPMS, (new) regulations leave you unfazed.
We explain what a data protection management system is, what it is suitable for, and how you can keep track of it.
- What is a Data Protection Management System (DSMS)?
- Why is a Data Protection Management System needed?
- What are the advantages and disadvantages of a Data Protection Management System for companies?
- What legal regulations exist for Data Protection Management Systems?
- Checklist for the selection and introduction of a Data Protection Management System
- Which Data Protection Management Tools are suitable?
- Conclusion: Those who live according to the motto "No risk, no fun" can stick with Excel & Co. - we recommend DSMS to everyone else
With the introduction of the General Data Protection Regulation (GDPR), companies are legally obliged to comply with certain accountability and proof obligations. Datenschutzexperte.de spoke to more than 100 data protection officers in SMEs: according to a study, the biggest time wasters are all project management activities (e.g. information gathering), the seamless maintenance of the directory of processing activities (VVT) and the documentation of all technical and organizational measures (TOM).
Some companies use Excel and Word files for data protection, which entail procedural challenges, a decentralized documentation and a high level of intransparency. This leads to a higher expenditure of time and potential for errors. A Data Protection Management System (DSMS) can relieve data protection officers and minimize internal effort and errors. In this article you will find out what to look out for when choosing your DSMS and receive a list of the most popular tools in the OMR community.
What is a Data Protection Management System (DSMS)?
A Data Protection Management System is the data protection roadmap for companies from any industry. It guides companies in how to handle personal data compliantly.
Why is a Data Protection Management System needed?
The EU General Data Protection Regulation (EU-GDPR) standardizes the implementation of data protection within the EU. The same rules apply to all member states. These are supplemented by the German Federal Data Protection Act (BDSG). European companies can regulate, plan, control and monitor their data protection in a legally compliant manner with a data protection management system. The use of a DSMS provides a clear roadmap for both the management level and employees and customers.
Tasks of a Data Protection Management System:
- Review of all data protection measures in the company
- Establishment of GDPR standards (e.g. data processing contracts, accountability, TOM, appointment of a data protection officer)
- Introduction of standardized processes (e.g. data subject and deletion requests, data protection breaches)
- Issuing a list of requirements incl. guidelines and instructions to employees
- Compliance with data protection compliance (data protection regulations)
What are the advantages and disadvantages of a Data Protection Management System for companies?
A Data Protection Management System digitalizes and optimizes the data protection processes in the company. It relieves the persons responsible for data protection and individual departments that work with personal data. A DSMS minimizes the internal workload and the error rate.
Advantages
- Uniform structures and clear organizational administrations
- Authorization concepts, export functions, legal advice and security
- Digitalization, synchronization and centralization of data
- Creation of risk analyses
- Systematic recording and administration of personal data
- Data transparency and control
- Identification and reduction of data protection risks and minimization of data protection breaches
- Boosting trust among customers, employees, as well as suppliers
- Easy verification of data protection compliance
- Fine-reducing effect in case of unintentional data protection violations
Disadvantages
To depict the obligatory components according to GDPR, Excel is theoretically sufficient. In comparison, the implementation of a new system can be time-consuming. The effort should always be considered in relation to the company's size.
What legal regulations exist for Data Protection Management Systems?
The General Data Protection Regulation does not explicitly prescribe a specific data protection management. Therefore, each DSMS can have a different approach to ensuring compliant documentation and accountability.
Important accountability and proof obligations
Companies must ensure on the one hand that they comply with the provisions of the General Data Protection Regulation. On the other hand, they must also be able to prove this, otherwise fines and claims for damages may be imposed. The legal and proof obligations include:
- Purpose limitation of the data collected
- Correct data, deletion or data correction
- Minimal data storage ("only as long as necessary")
- Data transparency, legality and processing in good faith
- Data minimization
- Integrity, confidentiality, availability
- Processing directories
- Data processing contracts
- Technical and organizational measures
- Data protection impact assessment
- Data protection officers
- Employee training
- Data protection incident documentation
Art. 1 GDPR Subject and Objectives
- This Regulation contains provisions for the protection of natural persons with regard to the processing of personal data and for the free movement of such data.
- This Regulation protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
- The free movement of personal data within the Union must not be restricted or prohibited for reasons of protection of natural persons with regard to the processing of personal data.
Art. 2 GDPR Material Scope
- This Regulation applies to the wholly or partly automated processing of personal data as well as to the non-automated processing of personal data which are or are to be stored in a file system.
- This Regulation does not apply to the processing of personal data
- in the context of an activity that does not fall within the scope of Union law,
- by the Member States in the course of activities falling within the scope of Title V Chapter 2 TEU,
- by natural persons in the course of exclusively personal or family activities,
- by the competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offences or executing sentences, including the protection against and prevention of threats to public security.
- The processing of personal data by the bodies, institutions, offices and agencies of the Union is subject to Regulation (EC) No. 45/2001,. Regulation (EC) No. 45/2001 and other Union legal acts regulating this personal data processing, shall be adapted in line with Article 98, respecting the principles and rules of this Regulation.
- This Regulation does not affect the application of Directive 2000/31/EC, especially the provisions of Articles 12 to 15 of this Directive on the liability of intermediaries.
Data Protection Organization and Responsibilities
Depending on the size of the company, it is helpful to appoint data protection responsible people in individual departments in addition to data protection officers. These people should coordinate between employees and data protection officers and possibly serve as first points of contact. Training and sensitizing employees is usually still the area of responsibility of data protection officers.
Cases that require reporting include, for example:
- Reports from data subjects
- Introduction of new systems
- New service providers
- Advertising measures such as a newsletter distribution
- Online marketing measures such as tracking actions
Directory of Processing Activities
Companies must determine in which cases personal data is collected and processed. First of all, all systems and tools in the company where personal data is stored can be listed.
Data Protection Impact Assessment
In certain cases, companies have to carry out a data protection impact assessment - for example, when a processing is likely to cause a high risk for personal data.
Contract Management
It is advisable to list all service providers. Data protection officers should check whether
- personal data is disclosed, used, transmitted or processed,
- an agreement for order processing is required and
- this has already been concluded.
Data Secrecy
Employees should be obliged to sign the data secrecy, even if this is not explicitly regulated in the General Data Protection Regulation.
Data Protection Training
Data protection officers must monitor the proper implementation of trainings.
Exercise of Data Subject Rights
Data subjects have the right to information (right to information), access and objection (the right to information and objection), correction, deletion and restriction as well as data portability.
Data Protection Violations
In the event of a violation of the protection of personal data, companies must report the violation to the competent supervisory authority immediately after becoming aware of it.
Data Security
You can find provisions regarding the security of processing, among others, in Art. 5 para. 1 f and in Art. 32 of the GDPR.
Examples
Hosting
You must ensure that your privacy policy covers all current data protection laws. Therefore, you should review it regularly. In addition, it is your responsibility to create documents for authorities that prove your GDPR measures. This includes, for example, contracts with sub-companies as well as technical and organizational measures. This can be done for example with the consentmanager tool. You can find the details on this topic in the article GDPR-compliant hosting.
Source: ConsentManager
E-mail Encryption
An S/MIME- and PGP-based e-mail encryption forms the foundation for the protection and legal security of electronic messages. With the Mail Gateway from NoSpamProxy you can, among other things, send GDPR-compliant emails.
Source: NoSpamProxy
Data Analysis
SAI360 helps you make informed decisions based on customizable reports, access data using natural language processing (NLP) and create and customize reports for compliance audits.
Source: SAI360
Checklist for the selection and introduction of a Data Protection Management System
Choosing your Data Protection Management System is an important decision. We recommend that you proceed systematically and use a checklist.
1. Criteria for Providers
Your data protection provisions should not only look good on paper, but also be lived in the company. The seriousness and professional expertise of the software provider plays an essential role in this. Optimal is a server location within the EU. Make sure that the provider performs regular updates to consider all new laws or changes in law and a German-speaking support is available. It is definitely worth dealing with the references to study similar companies and their experiences. Most Data Protection Management Systems include a free trial period or are available as free demo versions, so you can check the interactivity and user-friendliness. Preferably involve the people in the system selection who will work with the DSMS later.
2. Functional scope
Since each system can largely decide for itself how to cover the GDPR compulsory specifications, the DSMS can have different structures. Nevertheless, your Data Protection Management System should have these core functions:
| Funktion | Beispiele |
| Verarbeitungstätigkeitenverzeichnis | einfache Übersicht, VVT-Export auf Knopfdruck, Verarbeitungstätigkeiten vererben, adaptive Ansichten und Felder, Datei-Upload für Nachweise, Freigabeprozess, Vollständigkeitskontrolle, Angabe und Vorauswahl von Datentypen, flexible Zuordnung von Externen zu Datenkategorien, Unterscheidung zwischen Datenspeicherort und externen Empfänger*innen, Hinterlegung gesetzlicher Aufbewahrungsfristen und Datenflussdiagrammerstellung |
| Datenschutzfolgenabschätzung | Direkte Verknüpfung mit dem Verzeichnis von Verarbeitungstätigkeiten, Freitexteingabe und Funktionen, Risikoerfassung und -bewertung, Risiken- und TOM-Vorauswahl, Dokumentation der Einhaltung der Betroffenenrechte und Exportfunktionen |
| Technische und organisatorische Maßnahmen |
Vorlagen, Zuordnung von TOMs zu Gewährleistungszielen, TOM-Übersicht mit Status, von TOMs und Risiken |
| Datenschutzverletzungen | Vorfallmeldefunktion für alle Mitarbeitende, Maßnahmen- und Aufgabenableitung sowie -nachverfolgung, Entscheidungsdokumentation, Behördenmeldung mittels Exportfunktion |
| Betroffenenanfragen | Betroffenenanfragendokumentation, E-Mail-Client oder Customer-Support-Software-Integration, Daten-Speicherort-Überblick |
| Löschkonzept | Angabenübernahme aus VVT, Löschkonzeptexport, Anzeigen und Nachverfolgung von Löschterminen, Löschprotokollierung |
| Dienstleistermanagement/Auftragsverarbeitung | Empfängerlisten, Produkt- und Serviceverwaltung, Angaben- und Vertragsvereinbarungsdokumentation, Unterstützung bei der Compliance-Prüfung, Kommunikation mit Fachbereichen und externen Empfänger*innen, Ausfüllhilfen und Vorlagen, Prozessdarstellung inkl. Personeneinbindung |
| Dokumentenablage | Dokumentencenter und Einwilligungsverzeichnisse |
| KPI-Messung und Reporting | Dashboard inkl. Filterfunktion, Aktivitätsnachverfolgung und Jahresberichtserstellung |
| Auditierung | Audit-Vorlagen, -Fragenkataloge, -Reports und -Findings |
| Zusammenarbeit | Aufgabenerstellung, -zuweisung und -nachverfolgung, Benachrichtigungen, wiederkehrende Aufgaben und Wiedervorlagen |
| Rollen- und Organisationsverwaltung | Hinzufügen von Benutzer*innen, Festlegung von Benutzerrollen, Organisationsstrukturpflege sowie Konzern- und Mandantenfähigkeit |
| Sicherheit | Single Sign-on, Zwei-Faktor-Authentifizierung (2FA) und Schnittstellen (APIs) |
| Onboarding und Set-up | Dokumentenimport, Vorlagen, Schulungskonzepte und Implementierungsunterstützung |
Which Data Protection Management Tools are suitable?
On OMR Reviews you can find many helpful tools for Data Protection Management, that support you in implementing a GDPR-compliant data protection concept. You can refine your selection using filters. The verified user reviews help you to find the right tools.
These are currently the most popular DSMS on OMR Reviews:
heyData
Legally ok
NoSpamProxy
PrivacyBee
SAI360
consentmanager
DSM-Online
Collibra
OsanoConclusion: Those who live according to the motto "No risk, no fun" can stick with Excel & Co. - we recommend DSMS to everyone else
Although a Data Protection Management System is not directly required by the GDPR, the comprehensive legal basis makes it almost impossible to keep track without DSMS. It ensures a legally secure administration, processing, and traceability for possible control appointments by authorities.
Pia war mehr als 10 Jahre im Vertrieb und Marketing verschiedenster Unternehmen aktiv. Danach gründete sie ihr eigenes Unternehmen und betreibt dieses zusammen mit ihrer Geschäftspartnerin.
