Data Protection Academy » Data Protection News » Data protection result of 18 months GDPR

Two people are holding sparklers. In the foreground is the text "DSGVO 2019".

The result after 18 months GDPR

As of May 25, 2018. GDPR effective. For years before it was adopted, there was the fiercest lobbying battle in the history of the EU. It was also controversial in the period that followed, although the feared wave of warning letters did not materialise. Now that it has been applicable for a year and a half, one can draw the following conclusion.

High implementation costs of the GDPR hinder companies

In the meantime, two thirds of the companies have implemented the new data protection rules for the most part. However, only a quarter have fully completed implementation. This is the result of a survey of more than 500 companies from Germany, which the IT association Bitkom in September. Legal uncertainty and the difficulty of estimating the cost of implementation are the greatest challenges for two-thirds of companies in each case. It is most costly for companies to implement the new information and documentation requirements to fulfill. 95 percent even believe that the GDPR cannot be fully implemented. And 74 percent report that their customers are annoyed by information sheets and notes on the new rules. However, the companies also see positive aspects: almost two thirds of them are convinced that the GDPR will set global standards for the handling of personal data. And 57 percent expect the GDPR to lead to more uniform competitive conditions in the EU.

Only a minority has fully implemented the GDPR

A predominantly sobering conclusion is also drawn by a study of the management consultancy Capgemini (also from September), for which 1100 managers from Europe, India and the USA were interviewed. Last year, 78 percent of managers were optimistic that they would be able to implement the new regulations quickly, whereas today only 28 percent believe that they have fully achieved this goal. Just under a third stated that they were "largely" in compliance with the GDPR. Complete compliance with the GDPR failed above all because of the adaptation of IT systems, the complexity of the regulatory requirements and the high costs of implementation. On the other hand, 92 percent of GDPR-compliant companies believe that compliance brings measurable economic benefits. These include increases and improvements in cyber security, transformation processes, customer confidence, brand image and employee morale.

While the supervisory authorities initially restricted themselves to informing and reminding companies of violations of the GDPR, they now impose fines, some of which are hefty. The top ten fines in 2019 amount to 402.6 million euros. Top ten is British Airways with 204.6 million eurosfollowed by the Marriott hotel group with 110.4 million and Google France with 50 million. Against the Austrian Post ÖPAG a sanction of 18 million euros was imposed. ÖPAG had stored the party affinity of 2.2 million citizens in addition to data such as name, address, gender and age. In Germany, the highest GDPR fine ever imposed was a notice from the Berlin data protection commissioners amounting to 14.5 million euros against Deutsche Wohnen SE. By September, the Berlin authorities had issued a total of 27 fines under the GDPR. Most recently, the Federal Data Protection Commissioner sanctioned the telecommunications and Internet group 1&1 Drillisch. His Subsidiary 1&1 Telecom to receive EUR 9,6 million pay.

Long data protection declarations overburden consumers

An evaluation of the GDPR of November 2019 commissioned by the Federation of German Consumer Organisations (vzbv) made many suggestions for improvement. For example, consumers are often overwhelmed by inappropriate information and unclear decision-making constraints. This is the result of the practice of informing about all vague, long-term possible data processing already at the first contact by referring to a comprehensive privacy policy. A new information concept oriented towards the interests of consumers is therefore necessary. According to this concept, data protection information must be offered in a manner that is relevant to decision-making, interest-dependent in the respective situation and in good time before data processing. The technology must be designed in a data protection-friendly way so that Data protection The aim is to ensure that the consumer is not harassed, but that it is appropriate to the situation and, where possible, also automated. Consent could, for example, be given automatically by a digital "alter ego" of the consumer on his behalf according to predefined criteria and device settings could also be automatically adapted to his wishes. Finally, the vzbv opinion recommends that the supervisory authorities and courts, in addition to enforcing the law, should also provide manageable explanations that clarify how the often vaguely outlined requirements of the basic regulation are to be implemented.

External Data Protection Officer

You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.

In addition, the set of rules has also had an impact on mail encryption. While companies from strongly regulated industries such as banks and insurance companies as well as pharmaceutical companies have been using end-to-end encryption for some time, the retail and food industries are currently particularly interested in it. The reason for this is that many large retail chains only want to communicate with food manufacturers in encrypted form in order to keep an eye on order quantities, prices and other conditions. In addition, notaries and doctors, who are among the professional secrecy keepers, are showing great interest.

Moreover, it is to be expected that many positive effects of the GDPR for consumers and the market will only occur in the future, as enforcement proceedings often take several years. According to Article 97 GDPR the EU Commission must submit a report on the evaluation and review of the GDPR to the European Parliament and the Council by 25 May 2020 If necessary, it should make appropriate proposals for amendments.


Many companies are still struggling to fully implement the GDPR. But even if the regulations are complicated and abstract, compliance with them brings many benefits. Transformation processes and image are improved and customers gain confidence.

This might interest you too:

Whatsapp Privacy

WhatsApp and privacy

The messenger service WhatsApp is part of the Facebook group to which Instagram also belongs. At the beginning of 2021, Whatsapp announced an adjustment of its privacy policy. What can users do?

Data protection and data security while working from home

What do employers and employees need to be aware of? Concrete tips on data protection and advice on data security.

COVID-19 and data protection

Restriction of fundamental rights and right to informational self-determination under pressure. What data protectionists should be aware of.