Data Protection Academy » Data Protection News » 11 months of GDPR: What are the main findings?

Text in image: "11 months of GDPR: Most important findings and recommendations for action".

11 months of GDPR: What are the main findings?

As early as 1995, the European Parliament adopted the Data Protection Directive, which deals with the protection of individuals with regard to the processing of personal data. The topic of data protection has therefore played an important role in Germany for a long time. Nevertheless, the entry into force of the GDPR in May 2018 presented many companies with challenges. In particular, companies that had not yet dealt with the topic of data protection had to first implement the basic requirements of the GDPR. But what are the most important findings after just 11 months of the GDPR?

1. The supervisory authorities have focused on advice in 2018

Last year, the supervisory authorities concentrated mainly on advising companies. Authorities received many inquiries from small enterprises and associations in particular. There was uncertainty as to which specific measures were to be implemented in the wake of the GDPR. This uncertainty was counteracted by consulting services and templates for implementing the standard requirements. In addition to the consulting services, however, hundreds of data breaches were submitted to the supervisory authorities, which were already being processed step by step in 2018

2. Wave of warnings has failed to materialise in 2018

It was feared that a wave of warnings would roll over German companies when the basic data protection regulation came into force. In this context, it should be possible to issue warnings in the form of data protection declarations on websites that do not comply with the GDPR. However, this wave of warnings did not occur in 2018.

However, initial legal rulings show that companies that neglect information obligations in their data protection statement continue to violate competition law requirements. Because companies that Data protection requirements incorrectly, create competitive advantages for themselves over other companies. As a result, it is to be expected for the period 2019 / 2020 that the proportion of warnings will increase due to incorrect data protection declarations. Among other things, this is also due to the fact that the E-Privacy Regulation will presumably come into force in this period.

Therefore, we advise you to implement the data protection declaration and the information obligations in full.

3. Supervisory authorities will carry out more intensive and unprompted inspections in 2019

As 2018 draws to a close, some regulators have already been actively pursuing implementation of the GDPR controlled.

The supervisory authorities in Bavaria should be mentioned here in particular. On the corresponding Internet presence it can be read which companies are likely to be subject to an inspection and which topics are covered in the course of this inspection. But Thuringia is also just beginning to implement the GDPR. Thuringia's data protection commissioner actively asked many Thuringian companies about the status of GDPR implementation using a questionnaire. Checks were also conducted in other German states, such as North Rhine-Westphalia.

It can be assumed that controls will take place to a greater extent in 2019, for example by means of nationwide collection via questionnaires. However, our consultations with the supervisory authorities also suggest that in 2019 many authorities will continue to focus on advice rather than on sanctions through fines. This is, of course, only to the extent that no extreme objections to the implementation of the GDPR are identified.

Fines could occur in cases such as

  • Inadequate implementation of minimum requirements (e.g. lists of procedures).
  • Carrying out video surveillance of employees without reason.
  • Neglect of data security (e.g. insufficient role and rights management).

In addition to the possibility of coming into the focus of the supervisory authorities, a data breach can also be reported by third parties.

Accordingly, it is highly recommended to establish at least the minimum requirements of the General Data Protection Regulation. Furthermore, it is recommended that the Data protection to improve continuously in the sense of a management task.

External Data Protection Officer

You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.

4. Fines are not transparent

Various fines were already enforced in 2018. The range extends from three-digit sums in Germany to international fines in the millions. A large number of fines have been enforced in various sizes for various offences.

These misdemeanors are, for example:

  • Video surveillance without cause
  • Unfinished order processing
  • Open e-mail distribution lists
  • Insufficient role and rights concepts

The problem is that there is no uniform standard in the sense of a catalogue of fines. It is currently difficult for both the data protection officers and the companies concerned to assess which violation leads to which fine. It is also possible that cooperative cooperation with the supervisory authorities could lead to a reduction in fines. However, there is no concrete explanation for this either. It would therefore make sense for the supervisory authorities to draw up a coordinated catalogue that would transparently show which categories of violations, which companies are punished with which fines.

5. Legal uncertainty is the main problem of implementation

A Bitkom survey showed that more than 50% of the companies see the greatest problem in the implementation of the GDPR in legal uncertainty.

Various handouts of the Data Protection Conference on various critical issues are already being offered as support services. One example is the following:

  • The obligation to appoint a data protection officer in smaller medical practices
  • Dealing with order processing relationships
  • The implementation of a data protection impact assessment including the necessary criteria (blacklist / whitelist)

Nevertheless, there are many detailed practical legal questions which have not yet been answered comprehensively. These include, for example:

  • How do I implement information obligations when I receive a business card from a prospective customer for my products?
  • Do small companies that assume sovereign tasks (e.g. motor vehicle companies that carry out an exhaust emissions test) really have to appoint a data protection officer?
  • What is the state of the art in implementing data security?
  • How do I deal with the information obligations when the media jump?
  • Is a tax consultant in payroll accounting also a processor of orders?

These and other questions have not yet been conclusively clarified and will be decided in the coming months or years, either by the Data Protection Conference, legislative amendments or court rulings. But it is also a fact that at least 80 percent of the tasks in data protection can be implemented by every company in Germany without any problems. There are also minimum standards in the area of data security (e.g. ISO 27.1001, the BSI-IT basic protection), so that every company can find out about and implement basic measures for data security.

In many cases, the implementation of the DSGVO does not take into account the specific legal bases of the individual sectors. It is quite possible that certain legal bases make it possible for companies to collect or process personal data without first obtaining the consent of the persons concerned. However, the main advantage of such consent is that it can be revoked at any time.

In summary, the basic data protection order already clearly regulates many questions of principle. However, as soon as one moves into specific sectors or legal areas, there are still many open questions.

6. Data protection becomes a cheap commodity

As the demand for data protection officers or data protection experts has risen sharply since May 2018, there are many relatively new providers who see financial opportunities in the uncertainty of companies. For this reason, numerous so-called data protection experts or providers of data protection software are currently appearing on the market. In some cases, very low prices are being called up for orders for data protection officers or other data protection services. The problem here is that serious data protection officers always have to accept a certain liability risk themselves. The necessary safeguards for this cannot be financed with the prices called up. This circumstance leads to the conclusion that the services offered cannot guarantee high-quality data protection.

Robin Data has therefore made it its goal to offer data protection at the highest level. For this purpose we have a network of partners who have developed their data protection expertise over many years. Data protection experts from the Robin Data Network develop the optimal data protection management system with and for our customers.

The same applies to data protection: If you invest cheaply, you invest twice.

Nadine Porrmann
Latest posts by Nadine Porrmann (see all)

This might interest you too:

Whistleblower Protection Act

The Whistleblower Protection Act: regulations and obligations for companies, requirements for whistleblowers, white paper including checklist!

Smart Home Privacy Concerns

Smart Home applications: Find out why the benefits in everyday life often involve data protection risks and how you can protect yourself.
Picture of Thomas Ulrich on Pixabay

Federal Council increased duty to appoint data protection officer to 20 persons

On 20 September, the Federal Council decided that a company data protection officer only needs to be appointed if the number of employees exceeds 20.