Conducting legal due diligence on the target company is standard practice before completinga transaction. Even today, eight years after the GDPR came into effect, some companies still fail to implement basic data protection principles in their internal policies or in their relationships with business partners and suppliers. Some even claim not to process any personal data at all.
What measures would a person or company need to take today to entirely avoid data protection regulations?
First, they should have no employees or other cooperating persons. They should also refrain from storing payroll records, providing access to fitness facilities for employees or their family members as a working benefit, and cooperating with suppliers or distributors. The company or person should have no external accountants or IT specialists, no client database, and should not send any business communication or marketing materials. They should not receive job applications or keep their employees' CVs.
Furthermore,the company or person should have no business partners, including those outside the European Union. They should also avoid using cameras in their business or internal premises, including parking lots, and should not install GPS trackers in company vehicles used by employees.
If you meet all these conditions, you are on the right track to avoid data protection regulations.
But don't celebrate too soon — certain data protection principles will still need to be in place. One common practical challenge, not directly addressed by the GDPR, is conducting company audits, which are a routine part of any company's "life". Ask yourself: do you have the necessary rules in place for audit purposes?
In today's globalised world full of international companies, suppliers and distributors, another critical issue is the transfer of personal data to third countries. While cooperation with certain global processors may be essential for some companies' business activities, the same practice can become an insurmountable obstacle for the company's key customer. Is it realistic to obtain consent from a parent company based in the U.S. or Geneva every time its Prague subsidiary decides to hire a new accountant, IT specialist or cloud storage provider?
If data protection has not yet caught your attention, consider that GDPR principles have a dynamic impact on all other aspects of daily life. The well-known German Facebook case demonstrated that violating GDPR principles can also breach competition law rules — a potentially costly matter.
Complying with data protection principles simply pays off!
