Current status of the enforcement of the GDPR

In May 2020, it is going to be two years since the General Data Protection Regulation 2016/679 (GDPR) came into force. The GDPR empowers data protection authorities to impose higher penalties than ever before in the event of data protection violations. In the most serious cases, companies can be fined up to EUR 20 million or 4% of their worldwide annual turnover – whichever is higher. At the beginning, there were numerous questions from both the Data Protection Authorities (DPA), data controllers and data processors with regards to the interpretation of the GDPR articles and the calculation of fines.

The most recent analysis by the market Researcher Forrester came to the conclusion that data protection authorities in the European Union are stepping up their GDPR enforcement activities. In addition, after almost two years, there is now much more certainty regarding the interpretation of the GDPR requirements by the DPA. In order to emphasize the seriousness of the federal government in terms of data protection, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) adopted a catalogue of fines at the end of last year, which allows significantly higher sanctions and should represent a wake-up call for companies.

The latest example of a 9.5 million euro fine imposed by the BfDI on a well-known German telecommunication company for a GDPR violation has shown that German authorities will not let companies get away with data protection violations. In the case of a German telecommunication company, a customer's complaint to the BfDI was followed by an investigation in which it was concluded that personal data was provided to a third party by the company's hotline employee, even though the caller only had the name and date of birth specified by the customer. For its part, the company stated that the hotline employee had acted using two-factor authentication in accordance with the company's guidelines at the time and that this was in line with industry practice. However, the BfDI stated that this procedure creates risks for "extensive information" about customers. It was determined that the authentication procedures used by the customer hotline of the telecommunication company were not sufficient to meet the requirements of Art. 32 GDPR.

Further trend-setting fines in connection with the GDPR were imposed on a German real estate company as well as on others companies like e.g. Google, British Airways and Marriott Hotels last year.

Protect your business and act quickly by closing your data protection gaps.

RSM will be happy to help you run awareness programs for employees or examine your data protection management system (DSMS). We also assist with reviewing your own risk assessment or validating your process description.

Other services related to the GDPR:

  • Data protection management system (DSMS)
    We support you in the conception and implementation of the DSMS and check the effectiveness of the DSMS according to recognized standards
  • Risk management and gap detection
    We help you identify risks to identify potential data protection gaps
  • Data protection requirements
    We support you in checking the gaps in your organization and making recommendations for compliance with the General Data Protection Regulation (GDPR)
  • Data protection and data protection programs
    We support you in developing and implementing data protection and data protection programs
  • Awareness programs
    We run awareness programs for your organization to determine the roles and responsibilities of each individual in the organization in the area of data protection
  • Review Standard Operation Procedures (SOP)
    We review your organization's SOPs for data management and make recommendations by comparing them against best practices and industry standards
  • Assistance with the clarification and processing of data protection or data protection violations
    We monitor the principles and practices of data handling and classify the information security risk
  • Microsoft SSPA Services
    We help you self-evaluate the Microsoft SSPA program and prepare a report as an external auditor on compliance with the SSPA program

For more information with regards to our services please contact us.


Gregor Strobl

Partner - RRCG, Hamburg


Scan the QR code to save the contact details.

Jonathan Schlaeger

Experte für Cyber Security - RRCG, Hamburg


Scan the QR code to save the contact details.


Internet Explorer 11 is not supported.

We have detected that you are using an outdated browser. We recommend that you use an up-to-date browser to increase your security and to be able to use all the functions of the RSM website.

We recommend the following browsers: