Data protection in the company – all-embracing awareness

by von Annika Sandig
Last edited on: 2023-07-06

Anyone who owns their own business or wants to start one should not only think about products, marketing, positioning, sales, human resources management, accounting and logistical aspects – for all of this to work smoothly, the issue of data protection must also be handled very responsibly. After all, anyone who hires employees or manages customer addresses is dealing with personal and sensitive data. Just like all internal company information, this data must be collected, stored, protected and also deleted in a special way. Negligence in this area can cost the company a lot – and not only financially!

Yes, we can well imagine that you might not be able to hear it anymore – after all, the GDPR was always and everywhere present in the last two years. Be it the cookie message when calling up a website or the detailed data protection declaration, which was or had to be handed out in connection with various contracts. More and more, corresponding bureaucratic processes are becoming a "necessary evil", which is often simply "pulled through". The danger here is that, in the long run, the topic is again dealt with very unconsciously – at the latest when a certain routine has set in, a bad habit breaks in here or there again.

However, this represents a significant risk due to the "digital era" and the ever-increasing volumes of data that can be transmitted accordingly via ever-faster data connections.

A possible ignorance is not only very risky for the consumer on a private level. The whole thing becomes particularly complex if, as an entrepreneur, you do not take the topic seriously, this attitude is transferred to the company's employees and ultimately affects customers and partners.

To prevent this from happening, we would like to use this blog post to remind you of the relevance of the topic and give you a few tips on how to bring your colleagues and employees along with you.

For a basic understanding, we would like to summarize the most important facts about data protection in the company here:

Legal framework conditions

The German Federal Data Protection Act (BDSG-neu) ensures that each individual person may decide whether and for what purpose his or her own personal information may be used. It regulates the digital and analog processing of data and thus upholds the individual's right to informational self-determination, which is derived from the German Basic Law.

The GDPR also protects personal data in a special way. Among other things, it specifies the conditions under which these may be processed by companies.

Very important necessary points are, on the one hand, the purpose limitation (there must be an important reason for the collection of the information) and the way in which the relevant data is handled.

The company must also inform the data subject about the purpose, duration and legal basis of the data collection and provide the data subject with the contact information needed to contact your data protection representative. This is where the next point comes in:

Depending on the size of the company and the data processed here, a data protection manager must be appointed as a specially trained and thus professional advisor. He assumes corresponding tasks:

  • checking to what extent which data are processed in the company and how
  • assisting in the creation of a register of processing activities
  • documenting data protection measures
  • informing employees about their obligations with regard to data protection
  • conducting regular briefings of employees
  • checking the implementation of corresponding guidelines and measures
  • advising on questions in the area of data protection
  • and representing the company externally with regard to data protection

What in particular needs to be considered?

Anyone who collects and stores data must also create a privacy policy. Even though there are now many tools that help you create one, you should check and discuss it very thoroughly with your data protection manager and then publish it in all the necessary ways.

No special consent is required for the collection of data relevant to the contract (name, address, telephone) when concluding a contract – for all data above and beyond this, the relevant consent of the person concerned is required.

The customer, partner or employee must be given the opportunity to object to the storage of the data retrospectively, i.e. to withdraw consent. If this happens, it is very important that the employees also implement this immediately. If this does not happen and, for example, the customer notices it afterwards, this can cost you not only high fines, but also your image.

When collecting, storing and retaining data, for example, it is important that not every employee should be able to view and edit corresponding data. With the help of individual logins, you not only ensure this, but can also trace the processing history in retrospect, if necessary.

Furthermore, the data may only be collected for the intended purposes and used to the extent necessary and also deleted again as long as the corresponding purpose no longer exists and further legal conditions do not require further storage. Here it is important that corresponding files and data are destroyed in a non-recoverable manner.

It is important that personal and internal company data cannot be viewed by unauthorized persons or outsiders.

Technical measures

Not only at the behavioral level, but also at the hardware and software level, data protection and data security are of great importance! A very special role in the topic of data protection is of course played by the topic of information security – how secure are the IT systems, what kind of security is in place in the business building?

Points such as access control are important here. Unauthorized persons should not be able to access the data processing systems and the corresponding data. Recovery options in the event of technical problems are also important in terms of data protection.

The computer systems used should, of course, be protected by appropriate measures such as antivirus programs, firewall, etc. If you work with a hosting provider, it is very important to pay attention to the security of the server infrastructure and the certification of the corresponding data center.

Even though it is said over and over again, it is still just as important: use long and complex passwords and a different one for each service. When managing them, a password manager can be useful. For secure digital communication, for example, you can work with appropriate encryption programs.

How can awareness be raised?

When it comes to data privacy, there are two groups of people – one is very thorough when it comes to their personal or business information - so many of you deliberately don't use certain social media and messenger services or read the privacy statement of an offer very carefully, only to see that it's better not to use it after all. The other thinks: "I have nothing to hide, I don't care what happens with my data – there are so many people in this world! – They shouldn't have to behave like this!"

In the business context, too, employees may regard data privacy as nothing more than a necessary and annoying evil. But if employees are not aware of its relevance, it can quickly happen that the topic is dealt with carelessly here and there and one or two harmful behaviors therefore occur.

Even the best security systems are of no use if the employee in the home office or the field worker accesses the company's internal network via a VPN connection – but places the laptop in the café in such a way that the person sitting next to him can view the data.
If employees make random or uncontrolled copies of customer data, it is difficult to locate them at the time of deletion and thus fully comply with the obligations. Employees should be made aware of these pitfalls.

Make the topic of data protection interesting for your employees! Particularly if employees are not yet aware of the issues involved, it makes sense to explain the necessity of data protection to them, and not just with the help of countless documents that they have to sign. Personal discussions or an interesting presentation on the subject of data protection could help employees to internalize relevant topics and guidelines better and more sustainably. Work with illustrative examples and teaching methods. Workshops, games or e-learning offerings can also be used to transfer the necessary knowledge. Through the entertaining or playful way, this remains much longer and thus more sustainable in the minds.

You can also raise awareness by illustrating the relevance with vivid examples from the private field – because if you recognize the importance of the topic for yourself, you can also develop more awareness of how important data protection is for other individuals - i.e., customers or employees. For example, you could also provide your employees with helpful tips for private use – such as the use of alternative search engines, tips for securing passwords or for secure data storage in a cloud.

It is important that you and your employees do not simply memorize the rules in terms of data protection, but develop a good sense of data protection.


Data protection and data security is much more than just a necessary evil. If you deal with the issue responsibly, you not only save yourself annoying visits to the authorities and fines, but also enhance the company's image and promote skills among your employees that can also be useful in their private lives. Communicate that you really take data protection seriously and give your employees the necessary sensitivity for this! Overall, you will not only strengthen the trust of your customers and suppliers, but also that of your employees and other business partners.

Note: This article does not claim to be completely comprehensive with regard to the topic of data protection. For detailed advice, please contact an expert in the field of data protection law.

Sources and further information: