The most important dos and don’ts for managers regarding data protection
Data protection is not just a topic for IT departments or data protection officers – managers also have a crucial responsibility. Anyone in a management position must ensure that data protection regulations are complied with and that employees are appropriately sensitized. In this post, we show the most important dos and don’ts for managers when it comes to data protection.
Dos: Managers should take the following measures
Recognizing data protection as a managerial task
Managing data protection means keeping an eye on compliance with data protection principles in all areas of work and implementing the process specifications from the management system. All of this serves the company’s accountability, which requires the company to be able to demonstrate how the data protection principles are complied with.
Applying the Plan-Do-Check-Act cycle to data processing, each data processing operation should be described in detail and checked against the data protection principles before it is carried out. In the case of a new processing activity, the data protection officer should be involved in determining whether the planned data processing complies with the data protection principles.
Data processing only with a legal basis
All data processing requires a legal basis. Consent is difficult to establish as a legal basis in the employment context. The consent solution is only advisable for a few areas in which employees actually have no expected disadvantages and there is an acceptable alternative. For example, if the date of birth is to be used for personal birthday congratulations and communication within the team.
Ensure transparency
Employees, customers and business partners have the right to know how their data is processed. It should be ensured at all times that the data subjects are informed clearly and in simple language about the individual processing purposes in the data protection information at the time of data collection.
For example, if video surveillance cameras are installed, video recordings are made of employees and third parties. This constitutes a new purpose for data processing and must be added to the data protection information. In addition, all persons must be informed about the video surveillance before they enter the area under surveillance.
Data minimization and purpose limitation
Data processing must be reduced to the extent required for the purpose. When creating forms, it must be checked whether all input fields are really necessary for the desired result. This applies not only to forms in which you want to receive data from others, but also internally, for example when asking the HR department to obtain certain information from employees. Employee lists with birthdays, personnel numbers, private addresses and salary details are often a source of data protection incidents. Even if a manager is authorized to know this data, only the information required for the specific task should be used. The information should be reduced to what is necessary.
Compliance with purpose limitation is important even with the best of intentions. A personal assessment of sick days combined with praise for healthy employees constitutes an impermissible change of purpose of special personal data and can lead to fines.
Professional integration of service providers
If service providers receive personal data, a data protection agreement with the company is required in most cases. The data protection team should be involved as early as possible to ensure the contract and the general permissibility of the company’s involvement.
If managers themselves lead teams in which personal data is provided by customers for processing, compliance with the requirements of Art. 28 GDPR is required. The customer’s instructions must be checked and documented, and it must be ensured that the data provided is processed separately and, above all, not for the company’s own purposes.
Manage data protection incidents professionally
If a data breach occurs, it should be reported and documented immediately. The IT department, the information security department – if available – and the data protection officer should be contacted immediately. Whether or not a report to the supervisory authority is necessary depends on the extent and evaluation of the information available. Therefore, an immediate coordinated investigation of incidents is required. The 72-hour deadline for reporting to the supervisory authority must be observed if there is an obligation to report – management usually determines whether or not to report.
Don’ts: These mistakes should be avoided
Unstructured data storage and unauthorized access
Personal data should not be stored in an unstructured manner and without clear access restrictions. Old data that is no longer needed must be deleted regularly.
Internal investigations without clarification of the legal basis
If there is a suspicion that employees are not complying with internal regulations or even committing working time fraud, you should never take actions without the proper procedure. First, the legal requirements for conducting internal investigations must be clarified and then the data should be collected in a way that is as legally sound as possible. The HR department, the legal department, the data protection officer and – if available – the works council should be involved.
Applicant data in the e-mail inbox
Organizations without professional job applicant management systems face the challenge of integrating managers in such a way that they have access to all application documents and that these are simultaneously deleted after rejection. If applicant data is sent by email, it should not be archived and saved. A good solution is access to a subfolder of the area in the applicant mailbox or an appropriately shared file folder.
Unorganized saving of employee assessment information
Performance appraisals are part of a manager’s job. Creating an overview with a disordered collection of information about employees, possibly with comments on work ethic, who likes to be sick on Fridays but posts great pictures on social media on Saturdays, who makes radical public statements or seeks mental health treatment, would violate all data protection principles.
Recording employees’ skills is necessary and permissible for the purpose of carrying out the employment relationship and improving work processes. Additional information, such as smoking or private information from social media, encroaches on the employee’s private sphere and may not be used to assess performance.
A standardized performance appraisal form for all employees with corresponding access authorisations, which is defined centrally by the HR department, has proven successful in practice.
Conclusion: Data protection as an integral part of the management culture
Managers play a central role in the implementation of data protection in the company. Those who understand data protection as a continuous process and actively promote it not only protect sensitive data, but also gain the trust of customers, employees and partners. By following the dos and avoiding the don’ts, managers make a significant contribution to data protection compliance and to strengthening the company culture.