Current status of the enforcement of the GDPR

In May 2020, it is going to be two years since the General Data Protection Regulation 2016/679 (GDPR) came into force. The GDPR empowers data protection authorities to impose higher penalties than ever before in the event of data protection violations. In the most serious cases, companies can be fined up to EUR 20 million or 4% of their worldwide annual turnover – whichever is higher. At the beginning, there were numerous questions from both the Data Protection Authorities (DPA), data controllers and data processors with regards to the interpretation of the GDPR articles and the calculation of fines.

The most recent analysis by the market Researcher Forrester came to the conclusion that data protection authorities in the European Union are stepping up their GDPR enforcement activities. In addition, after almost two years, there is now much more certainty regarding the interpretation of the GDPR requirements by the DPA. In order to emphasize the seriousness of the federal government in terms of data protection, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) adopted a catalogue of fines at the end of last year, which allows significantly higher sanctions and should represent a wake-up call for companies.

The latest example of a 9.5 million euro fine imposed by the BfDI on a well-known German telecommunication company for a GDPR violation has shown that German authorities will not let companies get away with data protection violations. In the case of a German telecommunication company, a customer's complaint to the BfDI was followed by an investigation in which it was concluded that personal data was provided to a third party by the company's hotline employee, even though the caller only had the name and date of birth specified by the customer. For its part, the company stated that the hotline employee had acted using two-factor authentication in accordance with the company's guidelines at the time and that this was in line with industry practice. However, the BfDI stated that this procedure creates risks for "extensive information" about customers. It was determined that the authentication procedures used by the customer hotline of the telecommunication company were not sufficient to meet the requirements of Art. 32 GDPR.

Further trend-setting fines in connection with the GDPR were imposed on a German real estate company as well as on others companies like e.g. Google, British Airways and Marriott Hotels last year.

Protect your business and act quickly by closing your data protection gaps.

RSM will be happy to help you run awareness programs for employees or examine your data protection management system (DSMS). We also assist with reviewing your own risk assessment or validating your process description.

Other services related to the GDPR:

For more information with regards to our services please contact us.