The procurement of software is a critical step for businesses, as it directly impacts operational efficiency, security, and legal compliance. A well-planned procurement of software ensures that companies select solutions that meet regulatory requirements while supporting core business functions. From payroll and HR management to CRM and ERP systems, procurement of software plays a fundamental role in modern companies. However, failing to select GDPR-compliant software can lead to legal risks, financial penalties, and operational disruptions.
To ensure long-term usability and compliance, organizations must assess software based on data protection, IT security, and regulatory requirements before purchase.
Art. 25 GDPR: Data protection through technology and standards
Art. 25 GDPR obliges software companies and developers to implement data protection through technology design and data protection-friendly default settings. This means that data protection requirements must already be taken into account during the design and development of software. Transparency and control are essential here. Measures should not only benefit those affected, they should, in addition, offer support to those responsible, thus facilitating their compliance with accountability obligations. Only if these requirements have been addressed during development can software be used by companies in a GDPR-compliant manner. When purchasing software, care should be taken to ensure that the software fulfils these requirements.
The Key Question: What Makes Software GDPR-Compliant?
Not all software automatically complies with Art. 25 GDPR. Therefore, companies must verify that essential requirements are met, including:
- Data security through access control: The implementation of strict authentication mechanisms, such as two-factor authentication, along with clear authorization models.
- Efficient logging: Complete and tamper-proof documentation of access and changes.
- Focus on data deletion: Compliance with legal retention periods and automatic deletion after they have expired.
- Protection through encryption: Secure storage and transmission of sensitive data.
- Minimization of data usage: Pseudonymisation and anonymisation functions reduce the risks involved in processing.
Another key requirement is that software takes individual risks into account. Privacy by design leads to a move away from rigid, catalogue-like measures towards a sustainable and individual risk assessment. This allows companies to customise data protection measures to specific requirements.
Art. 28 GDPR: Managing order processing correctly
A key point that is often overlooked is the obligation to carry out commissioned processing as soon as external providers come into contact with data – be it for the maintenance, servicing or expansion of software. Companies must pay attention to the following:
- Contract design: The order processing contract in accordance with Art. 28 Para. 3 GDPR is mandatory.
- Clear regulations: The contract must explicitly define the purpose and scope of data processing, as well as the security measures to be applied.
- Transparency and control: Companies continue to bear the main responsibility and must regularly review service providers, especially in the case of remote access.
Common Pitfalls: When Software Becomes a Compliance Risk
Many software solutions fail to meet legal requirements, leading to significant compliance issues. Some common problems include:
- Lack of transparency with remote access: External providers can often access personal data without this being adequately controlled.
- Deletion concepts not implemented: Many systems do not provide automated data deletion, leading to breaches of retention periods.
- Hidden costs for data protection compliance: Functions for implementing the GDPR are offered as paid modules, although they should actually be part of the basic configuration.
Above all, software should never force users to disclose more data than necessary to fulfill its intended purpose.
Who Pays for Updates and Customizations?
The responsibility for GDPR compliance does not lie solely with the user. Software that does not fulfil the requirements of the GDPR can be considered defective within the meaning of warranty law (Sections 434 ff. BGB). In such cases, the provider is legally obliged to offer free updates or customizations.
Important key points here:
- Data protection compliance as part of the contract: If the data protection compliance of the software has been expressly guaranteed in the contract, a defect exists if the software does not fulfil these requirements.
- Basic functions: Software must provide functions for rectifying, erasing and restricting the processing of personal data from the outset.
- Privacy by design and privacy by default: Providers must ensure that the software complies with the principles of the GDPR, for example through data protection-friendly default settings and data minimization.
- Provider liability: If it transpires after the contract has been concluded that the software is not GDPR-compliant, the provider remains liable.
When procuring software, companies should contractually stipulate that the provider is responsible for ensuring ongoing GDPR compliance through necessary updates.
Strategic purchasing: data protection begins with the purchase of software
To prevent compliance issues from the outset, companies should focus on the following aspects when selecting software:
- Data protection friendliness as standard: Are security mechanisms such as access controls, logging and encryption comprehensively in place?
- Obligations of the provider: Are there contractual guarantees that ensure GDPR-compliant updates?
- Support for data subject rights: Does the software enable requests for information and erasure to be processed efficiently? Technical documentation: Are the data processing processes comprehensibly documented?
Change of perspective: seeing data protection as an opportunity
The implementation of the GDPR should not just be seen as a burden. Companies that actively integrate data protection into their processes can benefit from it in the long term:
- Create trust: GDPR-compliant software signals to partners and customers that data protection is taken seriously.
- Optimise processes: Moreover, many of the prescribed measures, including automation and data minimisation, lead to more efficient workflows
- Ensure legal certainty: Those who proactively fulfil the legal requirements minimise the risk of fines and legal disputes.
Conclusion: Establishing data protection as a core competence
The GDPR provides clear requirements that companies can meet with strategic planning and well-informed software procurement. When procuring software, businesses must not only choose the right solutions but also ensure well-drafted contracts and ongoing monitoring of compliance.
Need Help Managing Data Protection?
If your company has not yet implemented a data protection management system, now is the time to act.
