Since May 25, 2018, the General Data Protection Regulation (GDPR) has been in effect in Germany and across Europe (EU) — essentially the cleaning rulebook for your resilience apartment. The GDPR governs how companies handle personal data. As a regulation, it does not need to be transposed into national law — it applies directly. The GDPR also applies to companies based outside the European Union if they process data of EU citizens. While the regulation was primarily intended to control the handling of personal data by major tech corporations (such as Google, Facebook, and Twitter), it affects all medium-sized companies — and yes, even small blogs run by private individuals.
What Are Personal Data?
Personal data are data that are not collected completely anonymously and can therefore be assigned to a specific person. These include names, income, addresses, birthdates, email addresses, even photos, and individuals’ browsing and click behavior.
It does not matter where this personal data comes from—whether from online forms, CRM activities, data purchases, or internal HR systems—if it involves EU citizens, it falls under the GDPR. Updating the privacy policy on a website is not enough. Companies should also scrutinize their databases.
Personal Data Present? Companies Have an Obligation
Under the GDPR, the burden of proof has shifted. This means that if an individual requests information on whether and why your company processes their data, you must be able to prove either that you do not process any of their personal data, or provide a copy of the data that is current, accurate, and complete at the time of the request. All data from internal IT systems and any external data processors must be taken into account. In the event of a complaint to supervisory authorities, you must be able to document what information was provided, when, and what corrections or deletions were made.
Another key requirement of the GDPR is the right to be forgotten. Upon request, you must delete personal data immediately—provided there is no longer a contractual or legal basis for retaining it. Personal data must also be deleted if the original purpose for its use no longer exists—for instance, when a contract has ended or an employee has left the company.
Personal data may only be used if there is a legal basis for doing so, such as the individual’s explicit consent. For minors under the age of 16, parental consent must be obtained from the outset.
Data Protection and Databases
Avoid fundamental mistakes: At the beginning, we defined what constitutes personal data. Many companies are confident they do not store unauthorized personal data. The issue is that even fragmented or duplicate records—such as a record with a misspelled name but correct email address—can become relevant. The challenge lies in identifying and listing all distributed personal data, including incorrect or duplicate entries, especially in databases that are not perfectly maintained. Ultimately, any data that can be used to identify a person through research is affected.
3 Important Steps for Your GDPR Database Check
The right data protection software or data quality tools can help companies gain better transparency regarding their GDPR compliance.
1. Initial Database Analysis: A GDPR compliance check is carried out on the database. Ideally, this data inventory is performed across all systems. You will often encounter legacy databases that can no longer be managed and contain personal data that cannot be deleted. In such cases, the software architecture and its links to other databases or applications are reviewed.
2. Review Data Types and Formats: The next step involves using the software to examine what types of data exist, whether all relevant fields are filled, and whether the formats are correct.
3. Define What Needs to Be Deleted or Disclosed: Based on the GDPR requirements, a data model is created to determine which personal data must be deleted, pseudonymized, or disclosed. Ideally, a regular cleanup process is established and documented in a deletion policy. This is a flexible, iterative process that involves the customer and remains transparent and traceable.
Assess Database Data Quality – Without Halting Operations
Data is the fuel of digital transformation. It is valuable and regulated under the GDPR. Databases must be properly maintained to unlock their potential and avoid accidentally triggering fines. Analysis and subsequent protection should be automated as much as possible. One solution is data quality tools, which ensure data integrity through daily background checks.
Establish a Data Deletion Policy
Establish a Data Deletion Policy
Even if companies understand that individuals have the right to have their data deleted, many data handlers are still unclear about when, how, and under what circumstances data must be systematically removed. To avoid inadvertently violating regulations—and risking hefty fines—data protection officers should not only be well-versed in GDPR content, but also capable of supporting their colleagues with practical guidance.
A proven strategy is to launch an internal initiative for a company-wide deletion policy. This policy defines a deletion routine that applies across departments and can be understood and applied even by employees who are not data protection experts.
