As a consequence of the European Union’s new General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, we are consolidating all existing data protection measures, processes and systems throughout the Group into a single Data Compliance Management System. This system is based on the Daimler Compliance Management System (CMS), whose approach helps us meet the company’s accountability requirement and the data controller’s obligation to demonstrate the basis of the processing of personal data as described in the GDPR.
The establishment of the Data Compliance Management System was accompanied by the creation of a new Data Compliance unit within the compliance organization. This unit defines the program elements and controls their implementation throughout the Group. At the same time, the Chief Officer Corporate Data Protection and his team continue to perform the tasks required by law to ensure compliance with data protection rules. The Chief Officer Corporate Data Protection is independent and reports directly to the Board of Management member for Integrity and Legal Affairs. The Chief Officer Corporate Data Protection informs and advises the data controllers and the specialist departments, serves as a contact partner for complaints regarding data protection, monitors compliance with data protection rules, provides advice on the implementation of data protection impact assessments and cooperates with the regulatory authorities. We are currently realigning the existing network of local data protection coordinators and merging this network into our compliance network.
Our Corporate Data Protection Policy creates Group-wide standards for handling the data of employees, customers and business partners. The internal processes necessitated by the GDPR and the requirements of the Compliance Management System are reflected in a new version of the Corporate Data Protection Policy.
A key component of the Data Compliance Management System is the Data Compliance Risk Assessment, which involves a systematic analysis and evaluation of data protection risks at all business units. These analyses are based on centrally compiled information on all business units; specific additional details are taken into account in line with the given risk assessment. The results of the analyses form the basis of our risk management and risk minimization activities. The analyses enable us to adopt a risk-based approach for the further development of our Data Compliance Management System.
The results of the annual Data Compliance Risk Assessment serve as the basis for the formulation of measures that address possible data protection risks. The elements of our data compliance program include the provisions of the General Data Protection Regulation (relating, for example, to information obligations, the rights of data subjects and concepts for data erasure), the stipulations of local data protection laws, communication and training measures and various data protection consulting services. The responsibility for designing and implementing measures lies with each company’s management. Managers in turn cooperate closely with Integrity and Legal Affairs, which also provides support with implementation.
A monitoring plan is used to assess the effectiveness and efficiency of the implementation of the various measures at the business units. These reviews are used to define improvement measures, which are implemented by the responsible units and departments and then monitored on a regular basis.