Since May 25, 2018 the General Data Protection Regulation is applicable. Before the entry into force of the new regulation Deutsche Telekom already took data privacy very serious. Since 2016, an international project team worked on the implementation of the new regulations.
Anyone who processes personal data electronically must keep an eye on the GDPR. Thus, also Deutsche Telekom. Data protection regulators can impose heavy fines for violations: up to four percent of a company's worldwide annual revenues.
That is why Deutsche Telekom has done a lot to get fit for the new data protection rules. „Even before the GDPR, we had a very high level of protection thanks to a well-established data protection organisation. A data protection officer has been in place in every Group company since 2004, as it is now required by the GDPR. And finally, we looked early on what the requirements of the GDPR are and how we implement them throughout the company“, summarizes Claus-Dieter Ulmer, Group Data Privacy Officer. Together with his team, he ensures that the regulation is implemented at Deutsche Telekom. For example, we have trained more than 35,000 employees specifically for the requirements of the GDPR in addition to the basic training in data protection.
In autumn 2016, supported by the Data Protection Advisory Board, the team first published the so-called "Binding Interpretations". The paper provides information on how Deutsche Telekom interprets and implements the new rules. „Afterwards we have bundled all necessary resources in a Europe-wide project. The aim was to implement the new legal requirements harmoniously and correctly in all European units of the Group“, says Ulmer. Within the project, the current status quo of the companies with regard to the implementation status of the data protection requirements, that are already in use in the Group, was first determined. Subprojects in the Group companies then ensured the concrete implementation of the identified adjustment requirements in the respective companies. EU-wide, more than 550 employees worked on the implementation of the basic data protection regulation in 2017 and 2018.
For example, approximately 4,500 IT systems and projects were reviewed again using the PSA process (Privacy & Security Assessment) and adjusted as required. One provision of the GDPR is to do a Privacy Impact Assessment for some critical systems. Among other things, the PSA process ensures exactly that. Data privacy experts are directly at the table right from the very first ideas for new products or systems. In addition, 2,800 data protection notices were adapted, 180,000 data protection contracts were reviewed and, if necessary, also adapted.
More transparency for customers
“Additionally, to the privacy notices, we offer the Data Cockpit. This enables our customers to easily find out what data we store about them. This is another way in which we meet the requirements of the GDPR“, explains Claus-Dieter Ulmer. „The regulation will be implemented in Deutsche Telekom's subsidiaries in the same way as in Germany. We have checked the implementation progress. And we also took random samples. In the so-called 'GDPR Readiness Check' we checked whether the companies met all requirements. We were supported in this by the Group Audit department.“
Deutsche Telekom made every effort possible to be fit for the General Data Protection Regulation by 25 May 2018. This effort has paid off. "The DSGVO readiness of all companies has been confirmed by the readiness checks so that we can maintain the confidence of our customers and contractual partners in a high level of data protection at Deutsche Telekom”, concluded Ulmer.