It is designed to strengthen the rights of European citizens to their data: On 25.05, the European General Data protection Regulation (GDPR) comes into force. However, the concepts of many companies on the protection of personal data often still have holes and the data processing and policies do not yet correspond to the new regulations. As a result, large fines are looming: Up to 20 million Euro or up to 4 % of the previous year’s global turnover can be payable for serious violations. The overwhelming majority of companies in Germany are still working on fulfilling the requirements of the GDPR by 25 May.
Designation of an EU Data Protection Representative
13 % feel themselves to be legally safe
Not many companies are really well-prepared yet: Only 13 % see themselves as legally on the safe side, for example, because they have evaluated and appropriately adjusted their processes with regards to the GDPR. Most companies (56 %) are currently still working on it. This is the finding of a recent survey of 600 marketing decision-makers carried out by the eco Association and ABSOLIT Consulting, which is representative for larger companies in Germany. “Decision-makers in businesses should face the challenges now and fulfill the new requirements in their email marketing”, says Dr. Torsten Schwarz, Leader of the Competence Group Online-Marketing at eco – Association of the Internet Industry.
Legally secure consent declarations lacking
There’s certainly still enough to do, as the survey shows. For example, a GDPR-compliant consent declaration exists for nowhere near all of the people that a company writes to. A safe, provable consent to receive marketing emails, such as a
A safe, provable consent to receive marketing emails, such as a Double Opt-In, only exists for every second email address.
Double Opt-In, only exists for every second email address. For nearly one quarter (22 %) of addresses that are regularly written to, there is no, or only a legally inadequate consent. Many of those responsible are still not sure what will happen with these email addresses from 25 May. 47 % still want to think about an appropriate process for dealing with them.
The companies are more advanced with regard to the new transparency obligations. According to their self-assessments, 73 % already fulfill the requirements of the GDPR and inform their customers comprehensively about what happens with their data. 68 % observe the principle of data minimization when it comes to generating new addresses for email-marketing.
Taking accountability more seriously
Providing GDPR-compliant data protection should not require most German companies to do much in the remaining time. “Most of the concepts set down in the GDPR are not new”, according to Thomas Rickert, data protection expert at eco – Association of the Internet Industry. “Anyone who already entirely fulfills German data protection requirements should find the effort to become compliant with EU law quite manageable. However, for most of the companies that we provide consultations to, this is not the case”.
A mere 6 % have implemented the written process documentation stipulated in the GDPR.
Often this has a lot to do with a lack of accountability: Companies must now document very carefully how they have collected data, how they handle the data, and on which legal basis they do this. A mere 6 % have implemented the written process documentation stipulated in the GDPR. 30 % of the companies surveyed still need to implement processes for the provision of information, and the deletion and amendment of data, and there is still room for improvement for profiling: 29 % must still examine their procedures for the automatic processing of personal data, the study found.
- Only 13 % feel themselves to be legally safe.
- A mere 6 % have implemented the written process documentation stipulated in the GDPR.
- 30 % still need to implement processes for the provision of information, and the deletion and amendment of data.
- 29 % must still examine their procedures for the automatic processing of personal data.
The required Double Opt-In only exists for every second email address.
- For 22 % of email addresses there is no, or only a legally inadequate, consent.
- 47 % still want to think about an appropriate process for dealing with the use of email addresses.
- 73 % inform their customers comprehensively about what happens with their data.
- 68 % observe the principle of data minimization.
A wake-up call for data protection officers and decision-makers
“Many companies have clearly so far only half-heartedly implemented the requirements of the GDPR,” says Dr. Schwarz. “In view of the short time left until 25 May, the topic
Dr. Schwarz: “Many companies have so far only half-heartedly implemented the GDPR requirements. But the topic needs to be at the top of the agenda.”
needs to be at the top of the agenda.” All the more so, since there is adequate awareness in companies of the consequences: 81 % are aware of the legal consequences of a violation of the stipulations in the GDPR. The companies, and above all the company data protection officers, still have plenty to do in the next couple of weeks. Incidentally, the role of data protection officer is undertaken by an internal staff member in 57 % of the companies, 35 % have hired an external service provider – and 4 % of the companies are working without a data protection officer.
In a nutshell
Many companies in Germany have so far only half-heartedly implemented the GDPR and are still working at fulfilling the new requirements by 25 May. For many companies, this may be very difficult to achieve in the remaining time. Only 13 % see themselves as being legally on the safe side. Often this has a lot to do with a lack of accountability: A mere 6 % have implemented the written process documentation stipulated in the GDPR. German companies that already entirely fulfill German data protection law have an advantage in getting prepared. For them, the effort required should be manageable.
eco, the largest European Internet industry association, offers support in preparing for the GDPR. On request, the association can provide an external data protection officer for member companies based in Germany, and for member companies based outside of Europe, it can act as the EU representative for data protection matters. The eco Data Protection Services help member companies around the world to fulfill the legal requirements, train staff, and undertake a data protection audit. Further information can be found at www.eco.de/en/eco-services/eco-data-protection-service/.
Footnote:  335 large companies (over 500 staff), 143 medium-large-sized companies (200-500 staff) and 128 medium-sized companies (50-200 staff).
Five Questions to Thomas Rickert,
data protection expert in eco – Association of the Internet Industry
What exactly is personal data?
“This includes all data that allow inferences to be drawn about a person. This could be a name, a date of birth, a phone number, or an IP-address. To process this data, a company needs a legal foundation. This is given if there is a valid consent from a person, or the company has a legitimate interest to save the data.”
What does the right to be forgotten mean?
“Citizens have the right to have any personal data stored by a company deleted on request. But this is not the case for all data – the company has a legal obligation to save invoice data, for example.”
What is the right to data portability?
“This should make it easier for customers to change providers. Companies are obliged to make the data available to a customer or another company in a machine-readable form, so that the customer can more easily change from provider A to provider B.”
What are the requirements for data processors?
“In the course of the increased documentation obligations, it is necessary to specify in writing and to document for the customer when a company, for example, hires an IT service provider. The service provider then needs to document compliance with the technical and organizational measures to ensure data protection and data security.”
Do I need a data protection officer?
“If there are at least 10 staff members involved in the processing of personal data or if the core activity of the company is the processing of personal data, then a data protection officer is legally required. This can either be a member of staff, who needs to be able to work autonomously and is granted protection against dismissal, or an external data protection officer.”
René Bernard is Specialist Editor for IT and new technologies, infrastructures and markets with eco – Association of the Internet Industry