1. The processing of personal data is strictly PROHIBITED. For the treatment it needs comprehensible legal bases (contract, law, agreement, justified interest etc.).
2. The GDPR basically adopts all previously known principles of data protection (thus little new).
3. The additional requirements are manageable, but not surprising.
4. The GDPR is a first-class civil servant’s product. Simple and understandable is different. Nevertheless, it should not be underestimated. Unfortunately, however, the drafted Swiss law also goes exactly in this direction (practitioners were apparently not considered in the preparation).
5. The fact that EU countries have committed themselves to a common data protection strategy is remarkable.
6. Data protection authorities are always also party and not all-powerful regulators. Any decision can be challenged in court. Many provisions can be interpreted. Just the question of when something is considered as “processing” (treatment) is highly contentious in some cases.
7. The American providers are much more advanced than the Europeans, at least when it comes to legal (contractual) implementation. Nevertheless, they cannot solve the problem of state access (Patriot Act). This also applies to data held in the EU.
8. Contracts cover only about 25% of the necessary activities, just as important are the creation of transparency (documentation) as a basis for risk management.
9. Risk Management: Key discipline for successful implementation. Important: This is about the risks for the person concerned, not (only) the risks of the person responsible. Nevertheless, an ISMS (Information Security Management System) is indispensable.
10. However, the greatest challenge is certainly the consistent and comprehensive control of personal data: From origin to destruction = information governance).

Our implementation model for GDPR and further Information