Holistic solution in data protection: control centrally, implement locally

Data protection as an overall concept at
Hubert Burda Media

In order to meet the verification requirements of the GDPR, the implementation of a data protection management system is indispensable in a large diversified company like Hubert Burda Media. The Group Data Protection Officer is responsible, among other things, for controlling the management system. He determines which tasks are to be taken over by the group headquarters and what can ideally be done in the respective companies. The data protection organisation at Hubert Burda Media comprises a small central data protection department, which provides the data protection officer for the operating companies. Data protection coordinators have been appointed in the individual companies.

Data protection as an overall concept at Hubert Burda Media

Before the Data Protection Regulation.
Jürgen Kempter is the chief data protection officer at Hubert Burda Media Holding. His most important task in the past two years has been to prepare the company for the requirements of the DSGVO. “Before the GDPR, we largely handled almost all data protection tasks centrally,” Jürgen Kempter recalls. “However, after the regulation was published in 2016, we quickly realised that it was necessary to restructure data protection at Hubert Burda Media.”

New law, new requirements for the organisation.
The Head of Group Data Protection and an overarching project team had two years after the entry into force of the GDPR to make adjustments that had to be implemented in addition to day-to-day business. “We have restructured our organisation in such a way that many data protection tasks can be handled decentrally in the individual companies. With a central data protection team, we advise colleagues on their tasks, take over the control of data protection management and provide support on new issues, communication with those affected and the authorities,” explains Jürgen Kempter.

The main tasks in the individual companies include

  • the company-related documentation of the processing procedures
  • the documentation of the order processing relationships
  • the brand-specific processing of data subject rights

Proven software
Even before the GDPR came into force, the data protection team at Hubert Burda Media was using the data protection software otris privacy. The purpose was to structure and document processing activities. Since otris privacy already included functions such as multi-client capability and role and rights management, and due to the considerable time pressure until the DSGVO came into force on 25 May 2018, Hubert Burda Media decided to continue working with this special software for the changed data protection organisation. In addition to the functions already mentioned and numerous adaptations to the DSGVO, otris privacy stood out in particular due to central data storage and higher-level control instruments for processing requests. “It was particularly important to us that in otris we had a partner who responded to our requirements and worked with us to find solutions,” explains Jürgen Kempter.

Decentralised processing
“The processes in the individual companies where personal data is processed are best known to those responsible on site. Therefore, it makes sense that the documentation on processing activities is maintained decentrally in the respective companies,” explains Jürgen Kempter. The data protection coordinators of about 70 companies in the Burda Group use the central data protection tool to document the data protection tasks in their area. The monitoring, the allocation of rights and the structural specifications – all of this remains the responsibility of the data protection team at the head office.

„In close cooperation with otris, we have simplified the operational work in data protection.“

Jürgen Kempter
Group Data Protection Officer, Hubert Burda Media

Contract Processing
A fundamental directive to the individual companies is the complete documentation of the commissioned processing. Through the GDPR, the legislator has increased the requirements for this complex of tasks. otris privacy simplifies maintenance, administration and monitoring: “Organising order processing in such a large group is a challenge. Hundreds of data processing contracts have to be concluded with supplying companies. Some of the companies are also processors themselves for third parties. otris privacy helps us with the organisation and documentation,” explains Jürgen Kempter. The uniform structure across the group makes it easier for those responsible in the companies to fully document and allocate all agreements on order processing.

Rights of data subjects
The third set of topics is the processing and documentation of data subject requests. “It was important to us that data subjects can send us a data disclosure and deletion request in an uncomplicated way and via defined channels. With more than 500 media products, we have received around 20,000 requests since May 2018, which we have to answer within the deadline of one month required by law,” explains Jürgen Kempter. Together with otris, Jürgen Kempter and his team developed a system according to which affected party enquiries are processed on a brand-specific basis. “In our case, the way of linking the data subject information to the brand is much more user-friendly than linking it to the company. After all, the reader of our publications – e.g. Bunte.de or Focus online – does not necessarily know that Hubert Burda Media is the responsible publisher,” explains Jürgen Kempter. With otris privacy, the data protection officer realised his goal of granting users of all Burda online publications the simple exercise of all data subject rights.

In practice, this works with the help of a web form that is made available via a link on the website of the respective publication. The user fills out this form to inquire, for example, what personal data has been stored about him or her. The system forwards the request to an employee responsible for processing (data research, information, deletion, etc.). The entire process is documented automatically. In the case of processes that run the risk of not being processed within the prescribed deadline, the integrated deadline workflow warns: If an employee does not react, the warning is forwarded according to a predefined escalation process.

In the future: Adapted reporting.
Adapting the data protection organisation to the GDPR was an enormous challenge for Jürgen Kempter and his team. The task was simplified by the data protection software otris privacy. Even though the processes are now established and functioning – there is potential for improvement in every system: In order to better allocate resources when processing data subjects’ rights, the reporting in the software is to be adapted to this specific requirement. Request numbers and processing efforts in relation to the respective brands – overviews of these key figures have so far been created via the data export with subsequent preparation. The plan is to integrate this individual reporting into otris privacy. Jürgen Kempter summarises: “As a group, we have large amounts of data to process and many special requirements due to our very broad spectrum of brands (from gardening magazines to doctors’ rating portals). In close cooperation with otris, we have simplified the operational work in data protection. Our data protection organisation is on a stable foundation.”