EU General Data Protec­tion Regula­tion – What remains? What changes?

What remains?

The GDPR pursues the established principles of privacy law. According to Article 5 GDPR the fundamental principles of data processing are: lawfulness, fairness and transparency of data processing, purpose limitation, data minimization, accuracy and storage limitation, as well as integrity, confidentiality and accountability of the controller. Similar to Articles 28 ff. of the German Data Protection Act (BDSG), Article 6 GDPR provides data processing based on consent, on legitimate interests of the controller or a third party or if it is necessary for the performance of a contract. Also, the designation of a data protection officer in Article 37 to 39 GDPR, the possibility of commissioned data processing in Article 28 GDPR and the obligation to maintain a register of processing activities in Article 30 GDPR basically remain.

What changes?

The GDPR stipulates some major changes that will have to be taken into account when processing personal data. For example, the territorial scope in Article 3 GDPR and the rights of the data subject in Articles 12 to 23 and 77 to 79 GDPR have been extended. New conditions under which the processing of data is lawful have been appointed in Articles 6 to 10 GDPR.

The GDPR pursues a risk-based privacy approach. In this context, new principles like privacy by design and privacy by default, Article 25 GDPR, and further obligations to prove compliance arising from Articles 5, 24, 32 and 82 GDPR are of high importance. In order to prove compliance with privacy requirements, certifications (Article 42 GDPR), standard contractual clauses (Articles 28 and 46 GDPR) and approved codes of conduct (Article 40 GDPR) will be major topics of privacy strategies.

In the following we focus on some major topics in more detail:

1.   Extended territorial scope
2.   Data transfer within a corporate group
3.   Data transfer to third countries
4.   Commissioned data processing
5.   New rights of the data subject and extended liability
6.   Transparency regulations, privacy policy
7.   Data protection officer
8.   Required documentation and proof, register of processing activities, certification
9.   Privacy impact assessment, prior consultation
10. Notification requirements
11. Increased penalties
12. IT security, Privacy by design, privacy by default

1. Extended territorial scope

The GDPR provides a wide territorial scope.

First of all, the GDPR applies when personal data is processed in the context of the activities of a subsidiary of a controller or a processor within the EU (subsidiary principle), Article 3 sec. 1 GDPR. In this context the place of the subsidiary and not the place of the data processing is relevant.

The subsidiary principle is complemented by the market place principle in Article 3 sec. 2 GDPR. According to this principle the GDPR applies in two situations, even when the controller or processor is not located in the EU:

• Goods or services are offered within the EU. Covered are both goods and services in return for payment as well as free of charge. In this regard it is relevant if the company obviously intends to address customers in the EU. To find out if there is such an intention an overall view of the offer needs to be examined. According to recital 23 GDPR the use of a language or currency of a member state may, in conjunction with the possibility to purchase goods and services in this language as well as the mention of customers or users in the EU presume that the offer is addressed to EU citizens. Also the standard offer to deliver goods to a Member State should be sufficient for this purpose.
• The processing of personal data serves the purpose to monitor the behavior of natural persons within the EU.

In this context Article 27 sec. 1 GDPR is relevant. Enterprises covered by the market place principle are required to appoint an EU representative, unless data processing is occasional and no special categories of personal data as referred to in Articles 9 and 10 GDPR, like data concerning health, data revealing religious beliefs or ethnic origin or data relating to criminal convictions, are processed.

According to Article 4 sec. 17 GDPR an EU representative is a natural person or corporate entity established in the EU that represents a company with regard to their respective obligations under the GDPR and which serves as the contact for supervisory authorities.

2. Data transfer within a corporate group

The GDPR simplifies data transfer within a corporate group. According to Article 6 GDPR data processing for the purpose of the legitimate interests pursued by the controller or by a third party is permitted, as long as the interests of the data subject do not override. Recital 48 of the GDPR stipulates that the transfer of personal data within a corporate group, especially for internal administrative purposes, is such a legitimate interest. However, special requirements of Articles 44 ff. apply to the transfer of personal data to an affiliated company located in a third country outside the EU (see below).

3. Data transfer to third countries

The data transfer to third countries or international organizations is subject to Articles 44 to 55 GDPR.

According to Article 45 GDPR data transfer is permitted when the EU Commission has made an adequacy decision which states that this third country, a territory or a special sector within the country ensures an adequate level of privacy. So far the EU Commission has approved Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. These decisions shall remain in force until amended, replaced or repealed by the EU Commission.

In the absence of such a decision, personal data may be transferred to a third country or an international organization when appropriate safeguards for an adequate level of protection are provided and enforceable rights and legal remedies are available to the data subject. Article 46 GDPR provides the following possibilities:

• Approved binding corporate rules in accordance with Article 47,
• EU standard data protection clauses,
• approved standard data protection clauses,
• approved code of conduct pursuant to Article 40 GDPR together with a legally binding and enforceable commitment of the controller or the processor to apply the appropriate safeguards, or
• approved certification mechanisms pursuant to Article 42 GDPR together with legally binding and enforceable commitments of the controller or the processor to apply the appropriate safeguards.
  

In these cases a special authorization from the supervisory authority is not required.
Upon approval of the supervisory authority, data transfer can take place if appropriate contractual clauses have been established.

According to Article 49 GDPR the data transfer to a third country can take place on one of the following conditions:

• Explicit consent of the data subject after being fully informed of the possible risks,
• data transfer is necessary for the performance of a contract with the controller or the implementation of precontractual measures requested by the data subject,
• data transfer is necessary for the conclusion or performance of a contract concluded by the controller in the interest of the data subject, or
• data transfer is necessary for the establishment, execution or defense of legal claims.

According to Article 49 sec. 6 the controller shall document the risks of the data transfer and the safeguards that guarantee a reasonable protection of privacy in the third country in its register of data processing activities. Pursuant to Article 49 sec. 5 GDPR the EU and member states can expressly limit the transfer of specific categories of personal data to a third country.

A note specifically for data transfers to the US:

Until the decision of the European Court of Justice (ECJ) in October 2015, the transfer of data to the U.S. could be based on the Safe Harbor Agreement. In October 2015, the ECJ ruled in a case against Facebook that the transfer of personal data to the US based on the Safe Harbor Agreement is no longer permitted. In the ECJ’s opinion the legal situation in the US does not guarantee adequate privacy safeguards, in particular regarding the access of US authorities to personal data from the EU. Moreover, the ECJ has criticized the lack of legal protection for data subjects. As a result, a large number of companies have based their transfer of personal data to the US on EU standard contract clauses. However, this temporary legal approach is likely to be suspended too as the EU standard contract clauses will be soon subject to another review by the ECJ (read more). Moreover, the European Parliament as well as the EU Data Protection Officer recently published their criticism on the EU-US Privacy Shield, which was recently negotiated between the EU and the US to replace the Safe Harbor Agreement. Therefore the legal basis for the transfer of personal data to the US remains uncertain.

4. Commissioned data processing

Similar to Section 11 BDSG, the GDPR provides the possibility of commissioned data processing. During commissioned data processing personal data is carried out on behalf and in accordance with instructions by the controller. It is based on a contractual agreement between the processor and the controller.

According to Article 28 sec. 3 and 5 GDPR this agreement shall be in writing or in electronic form and shall stipulate the following topics:

• Subject-matter and duration of the processing,
• nature and purpose of the processing,
• type of personal data,
• categories of data subjects,
• rights and obligations of the controller,
• determination that data shall only be processed on documented instructions by the controller,
• determination that 
  - the processor shall not engage another sub-processor without prior authorization of the controller,
  - the sub-processor must comply with the requirements of the GDPR,
  - the controller has to be informed about any intended changes of a sub-processor and has respective veto rights, 
• adequate technical and organizational measures to ensure the safety of data processing operations as stated in Article 32 GDPR,
• confidentiality clauses binding the employees involved in the data processing,
• the obligation of the processor
  - to assist the controller with its obligations towards the data subject and the supervisory authorities,
  - to provide the controller with all information available to demonstrate compliance with its obligations,
  - to enable the controller or another auditor to conduct audits and inspections,
  
• the obligation to return or delete personal data after the termination of commissioned data processing.
  

The European Commission or the supervisory authority may provide standard contractual clauses for the commissioned data processing, Article 28 sec. 7 and 8 GDPR.

The controller remains responsible for selecting a processor that provides sufficient safeguards that the data processing will meet the requirements of the GDPR. However, Article 28 sec. 5 GDPR provides the explicit possibility to use certifications (Article 42 GDPR) or approved codes of conduct (Article 40 GDPR) to prove the qualification of the processor.

The most important alteration probably is the liability of the processor for material and non-material damages of data subjects resulting out of an infringement of its obligations or resulting out of non-compliance with the controller’s orders, Article 82 sec. 2 GDPR.

5. New rights of the data subject and extended liability

The GDPR provides new and partially extended rights of the data subject.

Compared to Article 34 BDSG the new Article 15 GDPR expands the right of access to personal data. In addition to the already applicable information about

• the content and source of the stored data,
• the recipients or categories of recipients to whom the data have been or will be disclosed,
• the purposes of the processing

also the following information need to be provided: 

• The envisaged period for which the data will be stored and the criteria used to determine that period,
• the rights of the data subject (correction, deletion, restriction of processing, objection, right to file a complaint with the responsible supervisory authority),
• data transfer to third countries and appropriate safeguards to ensure an adequate level of privacy.

The scope of the right on information is no longer determined by the purpose of data processing. However, according to Article 15 sec. 3 GDPR special requirements apply to methods of automated decision making, such as profiling.

Article 15 sec. 3 GDPR states that a copy of the stored data shall be provided to the data subject free of charge. The controller may charge a reasonable fee based on his administrative costs for additional copies requested.

According to Article 16 GDPR the data subject has the right to request the correction of inaccurate data and the completion of incomplete data.

Article 17 GDPR stipulates the “right to be forgotten”. Given one of the reasons in Article 17 GDPR applies, the data subject may request the immediate deletion of all of its personal data. Thus, data shall be erased if they are no longer required for the processing or when the data subject withdraws its consent and there is no legal basis for data processing. If the controller published the personal data he has to inform any third parties processing the data about the deletion request.

Under certain conditions named in Article 18 GDPR the right of processing is restricted. Furthermore, Article 21 GDPR provides the data subject’s right to object.

Also, the GDPR introduced the right of data portability, Article 20 GDPR. If the data processing is based on consent or operated by automated procedures, on request of the data subject its data shall be provided in a structured, commonly used and machine-readable format. If technically feasible the data shall be transmitted directly from one controller to another.

The GDPR extends the data subject’s right of compensation and liability. According to Article 82 GDPR controller and processor are liable for all material and non-material damages caused by infringement of the regulation. The new rules lead to a significant extension of compensation claims. The current legal situation regularly provides claims for material damages only. Compensation for non-material damages is limited to serious infringements with high intensity of intervention.

According to Article 77 GDPR the date subject has the right to file a complaint with the responsible supervisory authority and according to Article 79 GDPR it has a right to an effective judicial remedy in case of infringements of the GDPR.

6. Transparency regulations, Privacy Policy

A fundamental principle of GDPR is the transparency of data processing. Therefore Articles 12, 13 and 14 GDPR state the obligation of the controller to provide extensive information:

According to Article 13 GDPR all essential information shall be provided in precise, transparent, understandable and easy accessible form as well as in a clear and simple language at the time the data is collected. In particular the data subject shall be informed about:

• The identity and contact details of the controller,
• the contact details of the data protection officer,
• the purposes of and the legal basis for the processing (new),
• the recipients or categories of recipients of the personal data (new),
• an intended transfer of personal data to a third country including references to appropriate safeguards to ensure privacy (new),
• the period for which the personal data will be stored, respectively criteria used to determine that period (new),
• information whether the provision of personal data is a statutory or contractual requirement and possible consequences of failure to provide such data,

and about their rights (new)

• right of access (Article 15 GDPR),
• right to correction (Article 16 GDPR),
• right to deletion (Article 17 GDPR),
• right to restriction of processing (Article 18 GDPR),
• right to object (Article 21 GDPR),
• right to data portability (Article 20 GDPR),
• right to withdraw (Article 7 sec. 3 GDPR),
• right to file a complaint with the responsible supervisory authority (Article 77 GDPR).
  

If the data are used for an automated decision-making, including profiling, information must be provided on

• the logic involved (new) and the 
• consequences for the data subject (new).

If it is intended to continue processing data for other purposes (new), the data subject needs to be informed in advance. 

Current privacy policies, particularly used online, may still be used. However, the new mandatory legal notices shall be added.

7. Data protection officer

Unlike before, the obligation to designate a data protection officer in Article 37 GDPR is narrowed down to certain conditions. In particular a data protection officer shall be designated in any case where:

• The core activities consists of processing operations which, by virtue of their nature, their scope or purpose require extensive regular and systematic monitoring of data subjects or
• special categories of data are processed in a large scale.
  

Furthermore, according to Article 37 sec. 4 GDPR, a data protection officer shall be designated, if the national law of the Member State requires it. Here, the GDPR offers the Member States a scope to pass legislation on their own regard. The national regulations resulting out of this clause need to be considered at least by the controller, who has a subsidiary in that particular Member State. Therefore, if the German legislature does not repeal or replace Article 4 f BDSG, the present requirements for the designation of a data protection officer will remain. Anyway, companies should wait for official statements on how Germany will proceed before considering essential or-ganizational changes.

According to Article 39 GDPR the tasks of the data protection officer include the obligation

• to inform and advise the controller, the processor and the employees in charge of the data processing regarding their obligations due to the GDPR as well as the privacy provisions of the EU and Member States,
• to monitor and audit compliance with privacy provisions,
• to monitor and inspect the privacy policies of the controller and processor,
• to raise awareness and to train the staff,
• to provide advice in regard of the privacy impact assessment and monitor its performance, 
• to cooperate with the supervisory authority and to act as a contact point for the supervisory authorities.
  

Contrary to current legislation, Article 37 sec. 2 GDPR expressly provides that a corporate group may appoint a single data protection officer.

8. Required documentation and proof, register of processing activities, certification

At several points, the GDPR provides obligations of the controller to demonstrate compliance with the regulation, for example:

• Compliance with the principles of lawfulness, transparency and security of data processing in Article 5 sec. 1 GDPR, Article 5 sec. 2 GDPR,
• data subject’s consent to process its personal data, Article 7 sec. 1 GDPR, 
• limitation of data subject’s rights if the controller can proof that the data subject cannot be identified, Article 11 sec. 2 GDPR,
• limitation of data subject’s right if the controller can proof that the data subject has requested information obviously without cause or excessively, Article 12 sec. 5 GDPR,
• implementation of adequate technical and organizational measures to ensure the protection of data processing operations, including IT security measures, Articles 24 and 32 GDPR,
• securing that the data processor provides sufficient guarantees that data processing will meet the requirements of the regulation, Article 28 sec. 5 GDPR,
• appropriate safeguards to transfer data to third countries, Article 40 sec. 3, Article 42 sec. 2, Article 1 f GDPR.
  

These obligations to demonstrate compliance are of high practical relevance in the following constellations:

• Liability for damages: If a data subject claims liability for infringements, the controller and the processor bear the burden of proof for being not responsible for the damages occurred, Article 82 sec. 3 GDPR. 
• Cooperation with the supervisory authority: At the request of the appropriate supervisory authority, for example in the context of inspections or in the case of an alleged infringement, controllers shall demonstrate compliance with the GDPR. Also, the data processing operations as well as technical and organizational safety measures may be disclosed to the supervisory authority. If the respective evidence cannot be provided, the supervisory authority can impose sanctions, Articles 58, 83 GDPR.
• Amount of administrative fines: In case of an actual infringement, the supervising authorities may determine the amount of the administrative fine pursuant to Article 83 GDPR. They may take into consideration the degree of cooperation with the supervisory authority and the degree of responsibility of the controller or processor. Especially the measures by the controller or processor to mitigate the damage suffered by the data subject need to be taken into account.
  

The GDPR does not describe in detail how compliance should be demonstrated. But it explicitly provides controllers and processors with the opportunity to have their data processing operations certified by accredited certifications bodies (Articles 42, 43 GDPR) or to demonstrate compliance by adhering codes of conduct (Articles 40, 41 GDPR). Therefore the importance of certifications will significantly grow.

In accordance with Article 43 GDPR privacy certificates, seals and marks of conformity can be granted by certification bodies and supervisory authorities. All approved instruments will be registered and published by the European Data Protection Board. This guarantees the trustworthiness of certificates and certification bodies.

Codes of conduct in accordance with Article 40 GDPR are supposed to be prepared by associations and other bodies representing categories of processors in order to substantiate the requirements of the GDPR considering the specific features of different fields of data processing. In this respect, the goal is to consider the special needs of micro as well as small and medium size enterprises. The codes of conduct will be published and approved by the European Data Protection Board or the national supervisory authorities.

Another possibility to demonstrate compliance with the regulation is to maintain a register of processing activities. Article 30 sec. 1 GDPR provides a corresponding obligation of the controller. Similar to the internal procedure index in Article 4 g sec. 1 BDSG the register shall contain the following information: 

• name and contact details of the controller and the data protection officer,
• categories of data subjects and categories of personal data,
• the purposes of processing,
• the categories of the recipient to whom the personal data will or have been disclosed,
• the transfer of personal data to third countries,
• the envisaged time limits for erasure of data categories,
• where possible a description of the technical and organizational safety measures for data processing.

According to Article 30 sec. 2 GDPR the processor has to maintain a register of all categories of processing activities carried out on behalf of the controller, which has to contain the following information:

• The categories of processing activities, 
• name and contact details of the processor and each controller on behalf of who the processor is acting,
• transfer of personal data to third countries,
• where possible a general description of the technical and organizational security measures.

According to Article 30 sec. 3 GDPR the register shall be in writing or in electronic form. There are no further formal requirements.

The register shall be made available to the supervisory authority if requested while the obligation to provide parts of the register to the data subject (Article 4 g sec. 2 BDSG) does not apply anymore. However, it is replaced by the obligation to provide information required by Articles 13 and 14 GDPR.

The obligation to maintain a register of processing activities does not apply to enterprises or organizations employing fewer than 250 employees as long as the data processing is not likely to result in a risk for the data subjects, is not only occasional and no special categories of personal data are processed, Article 30 sec. 5 GDPR.

9. Privacy impact assessment, prior consultation

If the nature, scope, context or purpose of data processing are likely to result in a high risk to the rights and freedoms of the data subject, the processor has the obligation to perform a so-called privacy impact assessment, Article 35 GDPR. This allows the controller or the processor to decide on the required and adequate measures to protect the data.

When determining whether a high risk results out of the data processing, it should be taken into account which risks for the data subject may result out of destruction, loss, unauthorized disclosure or unauthorized access.

Inter alia a high risk can be assumed if the personal data breach may lead to a significant economic, social or physical, material or non-material damage if it is not addressed in an appropriate and timely manner. Examples are impending loss of control over personal data, limitation of rights, discrimination, identity theft, identity fraud, financial losses, repeal of anonymization, reputation damage and loss of confidentiality of data that are covered by professional secrecy. According to Article 35 sec. 3 GDPR a high risk results particularly from:

• Systematic and extensive evaluation of personal aspects, including profiling and scoring based on the evaluation,
• processing on a large scale of special categories of personal data referred to in Articles 9 sec. 1 and 10 GDPR, e.g. data concerning health, genetic data, political opinions, sexual orientation or religious beliefs,
• systematic monitoring of a publicly accessible area on a large scale.

In the course of the privacy impact assessment the necessity of data processing and the risks for the rights of the data subject are listed and the resulting adequate privacy measures are specified.

In accordance with Article 36 GDPR the supervisory authority needs to be consulted prior to the data processing if the privacy impact assessment indicates such a high risk that the protection of the personal data cannot be guaranteed based on the available technical and financial resources.

The general obligation to register in accordance with Article 4 d BDSG does not apply anymore.

10. Notification requirements

In Articles 33 and 34, the GDPR stipulates which measures need to be adopted in the case of a data breach.
According to Article 33 GDPR the controller shall notify the supervisory authority without undue delay, at least within 72 hours after becoming aware of the breach. Nature and extend of the data breach, its likely consequences and the measures to mitigate its possible affects need to be documented. According to Article 83 GDPR the early and comprehensive notification of the supervisory authority as well as a sufficient documentation can affect the amount of an administrative fine why it is in the controller’s own interest.

If a high risk to the rights and freedoms of the data subject arises from the data breach, it has to be communicated to the data subject without undue delay, Article 34 GDPR. According to recital 85 GDPR a high risk can be assumed when the personal data breach may lead to a significant economic, social or physical, material or non-material damage if it is not addressed in an appropriate and timely manner. Examples, mentioned in recital 85 GDPR are: Impending loss of control over personal data, limitation of rights, discrimination, identity theft, identity fraud, financial losses, repeal of anonymization, reputation damage and loss of confidentiality of data that are covered by professional secrecy.

11. Increased penalties

The GDPR leads to a considerable increase of administrative fees that may be imposed in case of infringements.

Currently the BDSG allows fines up to EUR 300,000.00 per each individual case. Article 83 GDPR increases the administrative fines to an amount up to EUR 20,000,000.00, or 4 percent of the global annual turnover of the preceding financial year.

The administrative fine is determined in each case individually and should be effective, proportionate and dissuasive. In this regard, the supervisory authority may take specified criteria into account, when deciding on the amount of the administrative fine. Inter alia the following criteria are relevant:

• Nature, gravity and duration of the infringement,
• the categories of personal data affected by the infringement,
• the intentional or negligent character of the infringement, 
• actions taken to mitigate the damage suffered by the data subjects,
• relevant previous infringements by the controller or processor,
• the compliance with measures that have previously been ordered against the controller or processor,
• the manner in which the infringement became known to the supervisory authority, as well as 
• the degree of cooperation with the supervisory authority.
  

The proof of adequate technical and organizational measures to protect personal data has a reducing affect. In this context, the already discussed principals of privacy by design, privacy by default, certification and compliance with approved codes of conduct are taken into account by the supervisory authorities. Therefore, by implementing appropriate and secure data processing operations, controllers can significantly influence the amount of an administrative fine.

However, further sanctions may be determined by the Member States.

12. IT security, Privacy by design, privacy by default

The GDPR strengthen the focus on an technology driven approach and IT security measures.

Article 32 GDPR states that safeguards, depending on the individual protection requirements, need to be implemented. The necessary technical and organizational measures include:

• Anonymization and encryption of personal data,
• measures to ensure permanent confidentiality, integrity, availability and resilience of processing systems and services,
• measures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident,
• measures to ensure that data are processed solely on instructions by the controller,
• establishment of a process that ensures the safety of data processing through regular testing, assessing and evaluating.
  

To determine the individual protection requirements, the specific risks for the data subject should be considered, e.g. the risk of destruction, loss, unauthorized disclosure or unauthorized access.

According to Article 25 GDPR the principles of privacy shall already be considered during the development and implementation of products, services, applications and technical processes (privacy by design). The appropriate technical design shall ensure that:

• Only particular personal data are collected,
• data are processed anonymized and encrypted as soon as possible,
• data are only processed to the necessary extent,
• data are deleted after the retention period and 
• limitation of access rights.
  

The principle of privacy friendly settings (privacy by default) in Article 25 GDPR provides that by default, IT systems and applications shall only process personal data which are necessary for each specific purpose.

These principles show a modern, technology driven approach and therefore the GDPR reveals clearly pragmatic approaches: Prevention rather than sanctions, privacy by default, embedding of privacy and data security in the design, full functionality, protection during the entire life cycle, visibility, transparency and respect of the user’s privacy. The processing risk of the controller can be reduced considerably, if risks are already minimized on a technical level and data is protected by adequate technical and organizational measures.

However, the GDPR does not contain a catalogue of technical and organizational measures as the catalogue specifying Article 9 sec. 1 BDSG. In order to determine, which specific safeguards need to be taken, the nature, scope and content of the processed data, the purpose and the circumstances of the data processing, including the respective business processes, IT systems, applications and infrastructures need to be analyzed individually. Therefore, enterprises should address the issue of IT security and privacy by design by using compliance audits, certification and Best Practice Guidelines. The GDPR also provides the possibility to comply with approved industry-specific codes of conduct, Article 40 GDPR.

Summary

Beside the established privacy principles, the GDPR introduces new approaches based on the ideas of prevention and risk calculation. Concepts like privacy by design, standardization and certification shift privacy requirements to a technical level, which hopefully leads to more pragmatic privacy concepts in the future. Therefore the GDPR should not only be seen as a challenge but also as an opportunity for enterprises. The extended possibilities to ensure and demonstrate compliance based on standards and certifications are likely to improve the risk and control management. This might improve the potential and capability to realize data-driven business models.

Therefore companies should use the transition period not only to implement the new requirements, but also to analyze their potentials to create new opportunities under the GDPR.