Happy Birthday GDPR! You are now two years old – about time we started taking you seriously. The State Representative for Data Protection and Information Freedom Rhineland-Palatinate (LfDI) must have thought likewise when it published its “Action Plan 2020” at the beginning of May. The overall picture: “2020 will be characterised by the systematic resolution and sanctioning of established data protection breaches” – even if currently, the focus of other companies is certainly elsewhere…
Is the grace period over now?
As early as March 2020 the LfDI published its “Concept for Effective Implementation of Data Protection Law in Rhineland Palatinate”,following up the implementation of its action plan. Despite Corona the LfDI has declared the grace period over and announced the implementation of the data protection conference’s (DSK’s) position in the area of website tracking. As stated in the action plan, this step will entail “coordinated checks together with the other German data protection authorities are planned and expected to kick off in 2020”
Data protection breaches notifications reach the LfDI in two possible ways: either (a) via a complaint from a consumer or (b) through active checks conducted by the supervisory board. The most frequent reasons for a breach? Mainly complaints about the unauthorised forwarding of data to third parties alongside matters related to the regarding tracking activity on websites.
Significant increase in fine proceedings
Even though the expected wave of fine proceedings after the GDPR’s introduction did not materialise, there has been a lot of action in the last two months with fines. According to a survey conducted by the Handelsblatt on the data protection authorities in German states, only 40 fines were levied in 2018 after GDPR came into effect. However, 2019 showed a significant increase with 187 fines (as of Dec. 2019). The clear trend: The implementation of the GDPR is gaining momentum following a comparatively long grace period (including the two-year transition phase from May 2016!).
⇨ Data protection breaches are now being systematically pursued.
Reported breaches relatively high compared to elsewhere in Europe
Compared with our European neighbours, the number of reported GDPR breaches in Germany is relatively high. Only the United Kingdom and the Netherlands report a similar number. According to the Handelsblatt at least 234 companies have committed GDPR breaches serious enough that have led the European data protection authorities to levy fines amounting to over 467 million Euros. In Germany the fines during this period have amounted to around 25 million Euros.
Investment in data protection is worth it
It is certainly true that the GDPR’s introduction was not a cause of celebration for most associations, companies and authorities. On the contrary – the GDPR was met with resentment at first. Complying by it meant strong time commitment, nerves and a major investment of financial resources. Nevertheless, the opportunity cost of not abiding, and thus the risk of being charged with hefty fines, meant a far larger cost than the investment for compliance.
The legal situation remains unclear
Currently, even two years after the GDPR came into force, data protection remains a “work in progress” across Europe, including Germany. Many details remain unclarified and important rulings are yet to be decided upon. No wonder that even experienced Data Protection Officers (DPOs) lose sight of how legally compliant gathering, processing and saving of personal data should look, given the complex legal situation.
Consent Management offers a solution
A glimmer of hope: Obtaining consent in a clean manner to use data is technically considerably complicated but can be accomplished with comparative ease using a Consent Management Platform (CMP).
In addition to complete visibility of all the gathered data, a CMP also offers companies the ability to react quickly to legal changes as the settings can be changed with just a few clicks. This ensures data owners are on the safe side and able to seamlessly document consent in the event of a caution or audit from the data protection authorities – and view the GDPR’s third year of life with less dread and foreboding!
You want to learn more about the Usercentrics CMP? Please contact us. We are happy to advise you.