25. Juni 2018 - Annual report and planning

How to create your data protection plan


What’s in the „Outlook“ section of your current data protection report? Implementation of the General Data Protection Regulation (GDPR)? It should actually be a little more detailed. This is the time to think about your data protection plan.

Ohne Datenschutz-Planung kein roter Faden The data protection report and plan are important tools for the data protection officer (Image: / koo_mikko)

Fleshing out the data protection plan

Data protection reporting and planning: It sounds like bureaucracy and a lot of work. Data protection officers (DPOs) have very little time for their many tasks.

Nevertheless, both components should be included in your data protection toolkit. At the same time, is not absolutely necessary to always create a completely new document. The first step is simply to flesh out the „Outlook“ section of the data protection report.

This means more than just adding the phrase „activities will continue“ to this bullet point. It also means fleshing out the item „Implementation of the General Data Protection Regulation“.

The reason: As a data protection officer, you too need timely planning. This is the only way to organise your own activities with a clear structure and avoid unnecessary work and inefficiency.

Standard topics

There are fundamental topics that should be part of every data protection plan:

  • The next data protection topics that require awareness-raising efforts
  • Possible costs of foreseeable data protection measures
  • Scheduled conferences and training courses, etc., that you would like to attend

Your data protection plan should also highlight the current data protection challenges that affect the company.

Legal, organisational and technical topics

Changes in legislation are particularly important for the rest of 2018 and upcoming 2019. The most important law is the EU General Data Protection Regulation (GDPR), but the ePrivacy Regulation is also important. Even after 25 May 2018, it will be important to keep up to date with the latest developments such as activities of the European Data Protection Board.

Mention this in the data protection plan and report that you present to management. Management must know that substantial work and costs will be involved.

Consequences of organisational changes

Planned organisational changes may also affect data protection.

This could be the introduction of new procedures, plans to establish a branch, or the global expansion of the company, all of which may have effects on legal and organisational matters.

Consequences of technical changes

Last but not least, technology is subject to dynamic changes and causes a large number of changes.

On the one hand, German companies are rather hesitant when it comes to the use of new technologies. This fact was revealed by a survey by Bitkom, the Federal Association for Information Technology. On the other hand, corporate decision-makers see a need for action:

  • Two-thirds (68 percent) of the CEOs and executives surveyed say that German companies are lagging behind or even completely out of the running when it comes to the use of artificial intelligence.
  • Approximately one in two respondents thinks this applies to 3D printing (48 percent), blockchain (47 percent) and robotics (45 percent), and the percentages for Internet of Things (42 percent) and virtual reality (41 percent) as well as big data (37 percent) and drones (31 percent) are not much lower.

Therefore, in the technical outlook section, explain whether new technologies should be used. And derive appropriate measures for data protection.

Consider forecasts for IT security

Another important area for data protection planning is risk analysis, which involves evaluating the threat situation for the company.

For example, as a data protection officer, if you see increasing threats to mobile devices, determine whether the company plans to increasingly use smartphones and tablets.

If so, make sure that the plan includes appropriate data protection measures to address these mobile data risks.

For example, forecasts and warnings about IT security published regularly by the BSI (Federal Office for Information Security) are helpful for analysing risks.

Oliver Schonschek
Oliver Schonschek is a physicist, analyst, and technical IT journalist for IT security and data protection.