An interim balance sheet after about one year of EU GDPR
The EU GDPR is effective in all EU member states after a transitional period of two years since May 2018. It was clear from the outset that the new rules will be a challenge for some companies and organizations. After about a year, the result looks partly worrying, as various studies show. Small and medium-sized enterprises in particular are still lagging behind. Some of them are far from complying with the new rules.
Aims and contents of the General Data Protection Regulation
The aim of the GDPR is to strengthen the fundamental freedoms and rights of natural persons and the protection of personal data through a uniform data protection standard in the EU. It contains 99 articles, which are fully explained in 173 recitals. This includes, among other things:
- Principles and legalities of data processing
- Tasks of Data Protection Officers
- the processing of information rights
- the security of data processing
- the carrying of a list of processing activities
- the entire area of data security.
Changeover to GDPR hampered by effort
The complexity of the General Data Protection Regulation intimidated from the very beginning. In particular, small and medium-sized enterprises and organizations. The results of a study by the digital association Bitkom in September 2018, four months after the deadline, already indicated this. Many companies had not yet reacted sufficiently to the entry into force of the new regulation.
Only 24 of the more than 500 companies surveyed in Germany said they had completed the changeover completely. 78 complained of higher costs due to the EU GDPR and 96 already called for improvements.*
Lack of proportionality forces the little ones into the digital
Bitkom President Achim Berg made a similar statement in May. He complained that member states, data protection authorities and companies would still interpret the data protection regulations differently. In addition, it is problematic that no distinction is made between global corporations and small and medium-sized enterprises. This disadvantages the smaller ones.
More “everyday assistance” needs to be provided, Berg said. Three out of four companies already see the EU General Data Protection Regulation as the biggest hurdle in the use of new technologies.** According to a survey by the Stuttgart University of Applied Sciences, small businesses and organizations (e.g. associations) are faced with ignorance drastic measures. Fearful of breaking regulations, they restrict or even give up their digital offerings altogether.***
Insufficient knowledge of regulations and penalties in companies
Further studies on the subject confirm the findings of Bitkom. At the beginning of 2019, about a third of the companies surveyed had not even started the changeover. Several others were unsure to be GDPR compliant by the end of 2019. It was also problematic that the IT systems in the conversion of companies in the process of complying with GDPR compliance only to a limited extent. Explanations for the problems of switching are attributed by experts to insufficient knowledge. In part, it is also due to a lack of assessment of the importance of a changeover within companies.
For example, a study by software manufacturer TeamDrive found that most companies were more concerned with protecting their own IT infrastructure from hacker attacks, for example. But less to compliance with the EU GDPR.**** This may also be related to too little knowledge of the possible penalties.
Tough sanctions for GDPR violations
In fact, companies should not take the requirements of the General Data Protection Regulation lightly. Because the possible fines for non-compliance have it all. The requirement is that fines are not only effective and proportionate in each individual case, but also a deterrent. With a penalty framework of up to 20 million Euros or 4 of the worldwide annual turnover for particularly serious violations, this should probably be given.*****
In Germany, only 81 fines totalling €485,490 have been imposed by July 2019. Others, however, have felt the EU regulations more painfully. For example, British Airways has been fined USD 229 million. The Marriot Hotel group had to pay a fine of USD 123 million.******
GDPR not only causes problems
Despite the negative aspects, achim Berg says, there are also some positive results. For example, the EU regulation has an “international radiance effect”. They have led global corporations and important trading partners to orient themselves on this.** Likewise, the fundamental awareness of data protection has increased. This does not only include greater protection of personal rights. This is also followed by better balance in competition within Europe but also worldwide.
Professionals provide relief in the paragraph jungle
Many companies consider the EU General Data Protection Regulation to be too complex and fear high costs. How they may arise from non-functional IT systems and major changes in data management. All as a result of a comprehensive change to legally compliant data processing. All this is understandable. Nevertheless, in this case, eye-to-eye is not a solution. The fines speak for themselves here.
Instead, studies show that, contrary to the previously common patterns of action of companies, it makes sense to seek external help. IT service providers and legal consultants specialize in this. They lead companies and organizations through the mess and do a pretty good job in the process.
- Right to information
- Right to be forgotten
- Obligation to provide proof
- Data economy
- Right to data transmission
- Right to Restrict processing
- Right to object