There have been almost 10,000 complaints and reports of data infringements in Germany since the European Data Protection Regulation (GDPR) came into force between May and September 2018. In the same period, almost 75,000 notifications and complaints were received for the entire EU. However, there is one decisive catch: the mills of the data protection authorities are - still - grinding too slowly. Too lax sanctions and understaffed authorities are only two problems.
According to Andrea Voßhoff, the until recently acting Federal Data Protection Commissioner in Germany, a total of about 3,700 general submissions and concrete complaints as well as almost 5,000 reports of data protection violations have been received. In the EU as a whole, 55,000 complaints and almost 19,000 data protection violations have been reported. After all, with the DGPR, Europe has one of the best data protection laws in the world. Only the enforcement is lacking. This is mainly due to the fact that the national authorities are responsible for implementation. If they do not investigate complaints or investigate infringements, the GDPR is useless. Of the 28 EU member states, not even all have implemented the GDPR in their national law. Some authorities have also reduced the financial resources for data protection authorities instead of increasing them. With more and more reported data breaches this is of course the worst possible choice.
The situation in Germany is not much better: A number of fine proceedings are currently underway, but eleven federal states have not yet imposed any fines at all. North Rhine-Westphalia is the pioneer with 33 executed cases, followed by Hamburg with only 3 and Berlin and Baden-Württemberg with 2 fines each. Bavaria still has 85 cases pending. How these will end and how high the fines will ultimately be often goes unnoticed by the public. After all, which company wants to publicly admit that there are security gaps and that sensitive data has been or could be compromised? Their good reputation is at stake.
Incidentally, most fine proceedings are triggered by specific complaints. This shows that awareness is slowly improving when dealing with sensitive data. Those affected no longer accept every violation of data without being asked. This increasingly forces companies to act. After all, there are penalties of up to 20 million euros or up to four percent of the previous year's worldwide turnover. Not to mention the damage to their reputation. This can ultimately even cost the company more than a fine according to GDPR.
So it is smart for companies to take precautions before a data breach occurs. For example, with an encryption solution such as the eperi Gateway, with which the entire encryption process remains exclusively in the hands of the company. Sensitive data only leaves the company encrypted. This means that attackers can only capture unreadable data. With regard to the GDPR, this is an unbeatable argument. After all, in the event of a data breach, the companies themselves are always ultimately liable. Nor can this be delegated to third-party providers such as cloud providers.
And companies should be aware of one thing: Reports and notifications of data breaches will not diminish, but rather increase. And even if the mills of the data protection authorities still grind slowly, sooner or later the companies will be called to account.