Since 25 May 2018, the General Data Protection Regulation (GDPR) has applied. After a good year, it is time for a résumé and an outlook on the future. Hardly any other law has brought about such major changes in companies in recent years. Even after having completed the changeover, companies must constantly check whether their data processing is compatible with the GDPR. They should also be aware of how they can benefit most from the changes in data processing.
Many companies had spent months preparing for the GDPR to come into force on 25 May 2018. Many feared that alleged breaches of data protection could be used as a pretext for warning letters. They also feared the high fines. The effort for the GDPR implementation was high. The costs for the ongoing monitoring of GDPR compliance are also high. The right priorities should therefore be set now.
The feared wave of warning letters in the context of the GDPR has not materialised. Furthermore, the data protection authorities have not imposed the heavy fines possible under the GDPR, , at least in Germany. The highest fine in Germany has been 80,000 euros. The data protection authority in Baden-Württemberg imposed this fine because health data had ended up on the Internet. The data protection authority in Berlin imposed a fine of 50,000 euros on a bank for unlawful handling of customer data.
Even though the fines in Germany have been relatively moderate so far, the situation has changed fundamentally. The data protection authorities regarded the year 2018 as a year of consultation and, in the event of infringements, have given advice rather than imposed fines. However, this grace period has come to an end. Overall, the number of fine proceedings has increased considerably. Unlike in the past under the Federal Data Protection Act, authorities today do not limit themselves to uncover infringements. They are more likely to initiate fine proceedings, even in cases in which it is questionable whether an infringement has been committed at all, such as the Berlin data protection authority’s ' action against the online bank.
Some authorities also react to incidents in which a fine would never have been considered before the GDPR. There was even one case in which a small company from Germany contacted the data protection authority itself and complained that a service provider did not want to sign a contract for order processing. The data protection authority did pursue the Spanish service provider but imposed a fine of 5,000 euros on the German company.
In other countries, the fines are significantly higher. The French data protection authority CNIL imposed the highest fine on Google, 50 million euros for illegal data processing. This very high fine and the fines imposed in other countries outside Germany will also have an impact in Germany. Here, too, the level of fines will rise.
The vast majority of companies used the months before and even a few weeks after May 2018 to bring their data processing into line with the GDPR and to fulfil their GDPR obligations. However, the changeover is not a one-off matter, but an ongoing process. It is therefore necessary to check on an ongoing basis whether data processing is compatible with the GDPR.
An important prerequisite for GDPR compliance is a record of processing activities that records all IT processes in the company. The record of processing activities is the basis for assessing data processing in the company and for assessing which subsequent steps are necessary. As IT processes change, the record must be kept up to date on an ongoing basis.
A second important prerequisite is the fulfilment of information duties. Last year's focus was on information duties towards employees. Every company must inform its employees in writing about collecting and using personal data. If an employee requests information, the company is obliged to provide the information. In one of the first rulings on the duty to provide information, the State Labour Court of Baden-Württemberg granted the employee a broad right to information.
Customers may also assert claims for information pursuant to Art. 15 GDPR. Therefore, each company must define and regularly review a process to ensure that such requests are answered in a timely manner. The period of one month appears to be quite long, but in practice it is very short.
Another area are data processing agreements. Processing means that a service provider processes personal data on behalf of the company, if a company uses cloud services or if servers are hosted in a data centre, the service provider acts as a data processor. But in many other cases the company providing services is a data processor according to the GDPR e.g. with service providers who send e-mails or provide IT support. For these companies and their customers it is very important to enter into an agreement that is in line with Article 28 GDPR.
Many service providers offer standard data processing agreements that are compatible with the GDPR. However, there are always individual companies whose contracts violate the GDPR. This entails a great risk for the customer. In view of the threats of fines, such risks should not be taken.
The GDPR has introduced the new instrument of "joint controllership". In practice, the implementation of joint controllership sometimes causes difficulties. On 5 June 2018, the European Court of Justice ruled that operators of a Facebook fan page are "joint controllers" with Facebook. This ruling has important consequences. On the one hand, Facebook fanpage operators must include a corresponding privacy notice. In addition, the operator must conclude a corresponding agreement with Facebook pursuant to Article 26 GDPR. The German data protection authorities take a very critical view of the operation of fanpages, and there is a risk of fines.
The most important organisational measures to implement the GDPR were: Introduction of an access control policy that regulates access options and rights to data within the company; retention policies setting the retention period and deletion of data as well as data security policies that relate to data protection. These policies must be checked regularly to see whether they are still up to date.
The GDPR has led to the fact that data protection today has a much higher priority than before. During financing rounds, start-ups are critically asked whether their business model is compatible with the GDPR. During due diligence, buyers of companies or shares check whether business activities comply with the GDPR. If there are any doubts, e.g. regarding data processing agreements or employee privacy notices, this leads to difficulties in the sales negotiations. If it turns out that essential business processes cannot be brought into line with the GDPR at all, the entire sale fails.
The next big challenge for companies is digitalization, including the use of artificial intelligence applications. As a result, data protection is becoming even more important because companies rely more and more on IT processes.
The GDPR implementation and the ongoing monitoring of GDPR compliance require a great deal of effort. However, they have the advantage that companies are more involved with IT processes. This is a good preparation for the next big challenge, namely the digitalization of the company including the use of artificial intelligence. GDPR migration projects and the ongoing monitoring of GDPR compliance have also led companies to take a closer look at the data they have at their disposal. This gives the opportunity to use customer data sensibly and to offer the customer additional benefits, e.g. with bonus programs or regular information letters. This is also an important step in preparing the company for digitalization.
If these opportunities are seized, monitoring GDPR compliance will not remain a mere compulsory exercise, but will offer real added value for the company.
Arnd Böken, Attorney and Notary