Exactly two years ago today, the European General Data Protection Regulation (GDPR) came into force. Whether a large company, freelancer, start-up, or club - every organization that collects or processes personal data about EU citizens in a targeted manner has been obliged to implement numerous data protection measures since 25th May 2018. The regulation contains hundreds of requirements. How do companies deal with them?
In order to ensure that personal data is processed in compliance with the GDPR many organizational and technical measures must be introduced and constantly implemented. For more than 60 percent of companies, this results in both more complicated business processes and an increase in the amount of work involved. This is the result of a representative survey of about 600 companies in the information economy conducted by the ZEW - Leibniz Centre for European Economic Research in March 2020. As a further negative consequence of the introduction of the GDPR, more than half of the companies name additional costs for employee training and an increased need for external consulting.
Nevertheless, after two years of GDPR, not everything is rated badly. After all, more than a third of the companies surveyed, stated that their processes had been reviewed and optimized. 29 percent of the companies have standardized their procedures for processing data.
For us at eperi, the study confirms that after two years of the general data protection regulation some progress has been made, but there is still a need for clarification and action. Let's look at the topic of competitive advantage, for example: Only five percent of the surveyed believe that the GDPR has led to competitive advantages for EU companies on international markets. One of the reasons for this may be that most US providers now also guarantee that data of their European customers are processed and stored exclusively in European data centers. Nevertheless, let’s not forget that the US authorities still have legal grounds to almost unlimited access to data, irrespective of whether the data is processed and stored in the US or in Europe - as long as the cloud provider is subject to US legislation. A residual uncertainty always remains, raising questions about whom you can trust with your data.
You should also know how exactly your data is protected in the cloud, as the responsibility for data protection always lies with the company and not with the cloud provider. Violations of the GDPR are subject to heavy fines, which can amount to up to four percent of the global annual turnover. For example, the British data protection authority has imposed a fine of the equivalent of 110 million euros against the Marriott hotel chain over a GDPR related breach. To help your company avoid this, we support you with our free "Check Your Cloud Security" test. After taking part, the result is made available immediately, helping you learning about possible gaps in your company's security strategy.
If your company has security gaps, you can close them with our solution, the eperi Gateway: All personal data is pseudonymized before it leaves your company to make sure that only unreadable data is stored in the cloud. In case of a data breach you, your employees, partners, and customers are on the safe side as the eperi Gateway renders the data useless for unauthorized parties. This is how you can reliably protect your company from high fines and damages to your image.
What are your experiences after two years of European General Data Protection Regulation? We are very much looking forward to your feedback! 
