Data protection: Top 10 to-dos to prepare for the GDPR


It’s still not too late – but it soon will be! The GDPR deadline is approaching fast and causing some folks to feel the heat. These Top 10 tips will enable online print providers to take some important action.

It remains to be seen within the next few days whether the politicians come up with a few more “simplification” arrangements for certain groups shortly before the new Regulation enters into force. What is definite though is that the GDPR will have to be implemented very soon – and that applies to all businesses. With the support of Dr. Martin Schirmbacher I have already reported here on the potential “hiccups” that online print providers are set to be faced with when the GDPR enters into force. And because this issue is more urgent than ever, Martin Schirmbacher, an attorney specializing in IT law at Härting Rechtsanwälte and legal adviser to the Initiative Online Print, has compiled a helpful Top 10 hit list for those now being forced to take swift implementation action.

© Photo by Härting Rechtsanwälte /

The GDPR is now just around the corner and an amazing number of companies have not prepared or only prepared very inadequately for it. Many companies, including several online print providers, have not taken any action at all to comply with the new data protection law. Anybody who makes inquiries to specialist consultants or attorneys at this late stage is greeted with a nervous, weary smile. Full GDPR compliance is no longer achievable by the May 25 deadline. But nobody need panic. What’s important is to prioritize. Plenty of the to-dos can also be actioned or completed once the General Data Protection Regulation has entered into force.

The following list is designed to provide a little guidance. The topics are listed in order of urgency, not importance.

Top 1: Reobtaining opt-ins

According to GDPR Recital 171, consents obtained in the past continue to be valid if the nature of the consent already provided corresponds to the terms of the GDPR. The ‘Düsseldorfer Kreis’, the association of German data protection supervisory authorities, assumes that this will generally be the case, unless the consent contravenes the new coupling ban or is targeted at minors. Anybody who previously obtained and documented opt-ins does not have to obtain new consents. Many re-opt-in campaigns are illegal and/or pointless (and in many cases ineffective too). If you have opt-ins but these are not sufficiently documented and you therefore wish to obtain new consents, then you must do that now.

Top 2: Amendment of data protection statements

The data protection statement on an online print provider’s website must be amended to comply with the GDPR. In particular it needs to provide information about data collection. Consumer information transparency requirements are more stringent than those that comply with prevailing law. For example, the legal basis for data processing must be stated. If the Federal Data Protection Act (BDSG) is still mentioned in the data protection statement, then that statement needs to be amended.

Top 3: CDP agreements with agencies/tool providers

If personal data is contract-processed by a tool provider or other agency, then a contract data processing agreement must be concluded. In accordance with Art. 24 of the GDPR the person(s) responsible must ensure that data processing is performed in a lawful manner. Furthermore that person has a legal responsibility only to select and work with contract data processors that can adequately guarantee to put appropriate technical and organizational arrangements in place in accordance with Art. 28 Par. 1 of the GDPR.

Top 4: Cookie banner

The legal position in respect of cookies and the need to obtain consent is currently TBA. You can’t really tell from the GDPR whether a cookie banner is required or not. Furthermore the relationship between European data protection rules and the German Teleservices Act has not been clarified. The data protection authorities evidently regard every tracking cookie as requiring consent to be obtained. That is certainly not correct, although the adoption of a cookie banner may be advisable. A distinction between essential cookies (for instance for a shopping basket function) and tracking/targeting cookies should be made.


If you as an online print provider still have to plan how you are going to implement the GDPR, you have little time left – the above urgency schedule provides a little relief: Source: Härting Rechtsanwälte

Top 5: Legal checks on CRM/DMP

According to GDPR Recital 47 / P.7, the processing of personal data for the purposes of direct advertising can be regarded as data processing that serves a legitimate interest. In certain circumstances the personalization of advertising can be based on a legitimate interest. However the aim of the GDPR is to prevent total customer transparency, meaning at any rate that creating in-depth customer profiles requires consent. Every CRM system and every data mining platform, in which customer data is stored, should therefore be subjected to detailed legal checks.

Top 6: Data protection officer

According to Art. 37 of the GDPR a data protection officer must be appointed, if data processing is the company’s core activity. Furthermore § 38 of the BDSG stipulates that a data protection officer is required if generally at least 10 people within a company are permanently occupied with data processing activities, which is new for Germany. Companies face a massive fine if they don’t appoint a data protection officer. This minimum of 10 persons includes all call center agents, service or accounts staff. This does not apply to printing or packing staff, even if they see order-related data or occasionally come into contact with personal data as part fulfilling customer orders.

Top 7: Right-to-information process

General requirements as regards the rights of those affected are determined by Art. 12 of the GDPR. In particular companies are required to provide information without delay as soon as anybody exercises their right to information about their stored personal data. An internal company process therefore needs to be created, which enables rapid merging of all stored data relating to the customer or potential customer.

Top 8: Facebook plugins

The ECJ will shortly deliver judgments about two fundamental issues relating to Facebook: who is responsible for data collection on a company’s Facebook page and is the inclusion of a Facebook widget or the Like button regarded as data collection by the website operator and data transfer to Facebook? It remains to be seen what happens. Until then it seems advisable to opt for a solution that allows for the transfer of IP data to the social network only after the website user has consented (e.g. Shariff).


Business cards are “bread-and-butter jobs” for many online print providers. Is the GDPR creating a new set of obligations? Source:

Top 9: Processing activities directory

Very important but not ultra-urgent is the completion of a directory of processing activities. This is the substantiation of general accountability obligations as stated in Art. 5 Par. 2 of the GDPR and provides the data protection authorities with a starting point for any inspections they carry out. All online print providers will have to keep such a directory, irrespective of company size. This is namely a permanent obligation if the processing of personal data is not just an occasional activity within the company. That includes companies that always print business cards. For each individual data processing procedure the directory must contain at least the following information: data processing name and purpose, legal basis, processing description, parties affected and recipients as well as  those authorized to access the data, personal data / data categories, standard deadlines for the deletion of data plus a general description of technical and organizational measures in place.

Top 10: Data deletion concept

What’s also important but not absolutely urgent is coming up with a data deletion concept. A deletion deadline must be determined for every item of legal basis-dependent stored data. Exceptions apply if statutory retention periods have been prescribed. Deletion concepts should be developed in order to ensure proper compliance with these periods/deadlines at all times. These concepts must then be put into practice to ensure that personal data is actually deleted as well.

Data protection: Top 10 to-dos to prepare for the GDPR
Article Name
Data protection: Top 10 to-dos to prepare for the GDPR
It’s still not too late – but it soon will be! The GDPR deadline is approaching fast and causing some folks to feel the heat. These Top 10 tips will enable online print providers to take some important action.
Publisher Name

Founder and CEO of zipcon consulting GmbH, one of the leading consulting companies for the print and media industry in Central Europe. The technology and strategy consultant and his team actively support practical implementation in a wide variety of customer projects. His work involves developing visions, concepts and strategies for the players active in the print production process across a wide range of industries. His areas of expertise include online print, mass customization, strategy and technological assessment for print, and the development of new strategies in the print and media environment. Bernd Zipper is the creator and chairman of Initiative Online Print e.V. and, in addition to his consulting activities, is an author, lecturer and sought-after speaker, orator and moderator. His visionary lectures are regarded worldwide as trend-setting management recommendations for the print and media industry. (Profiles also in Xing, LinkedIn).

Leave A Comment