Update Data Protection No. 43
Four months of GDPR - a brief interim assessment
It is now more than four months since the EU General Data Protection Regulation (GDPR) became law in all member states of the European Union. Time for an initial and brief interim assessment, and to outline the data protection challenges currently facing companies.
Feared spamigation has not materialized
To date, the widely feared mass sending of cease-and-desist letters (spamigation) has largely failed to materialize. While there has been some isolated competition-law spamigation based on (alleged) violations of the GDPR, this has stemmed mainly from "questionable spamigation lawyers". This spamigation has centered predominantly on the absence of data protection information on websites, and on the non-encryption of website contact forms.
However since the GDPR came into effect, the question of whether competitors and compe-tition or consumer associations are entitled at all to assert cease-and-desist claims for viola-tions of data protection law on the basis of German competition law (Law Against Unfair Competition - UWG), has become even more contentious than previously. In this respect, the sanctions regulated in the GDPR for data protection violations are likely to be final. There are also various legislative proposals against GDPR spamigation.
Companies on the receiving end of a cease-and-desist letter are certainly advised to neither panic nor to ignore this, but rather to check it critically and, if applicable, to reject it with ap-propriate substantiation.
Supervisory authorities will be starting checks before the end of this year
In recent months the data protection supervisory authorities of the German Federal States have reported such a major increase in both inquiries and complaints concerning the GDPR that they have in part been obliged to regulate and limit their communication channels, and are likely to be occupied with processing this initial flood of company and private submissions for some time to come.
Some supervisory authorities (for example the Bavarian Data Protection Authority) have however advised that they will start their first GDPR checks before the end of the current year. The focus will be on large and medium-sized companies.
Companies thus far only partially GDPR-conform
Current studies show that at least one third of German companies are definitely not yet GDPR-conform, or have not genuinely concerned themselves at all with the GDPR. A large number of other companies still have large or small gaps in terms of implementation of the GDPR requirements. There is typically a need for catching-up in terms of the systematic checking of the legality of data processing procedures, the establishment of processes for fulfilling the rights of data subjects, e.g. rights of access, rectification and data portability, and in terms of the drafting and implementation of a GDPR-conform erasure concept.
Period of grace has ended
Even if many questions related to the GDPR have not yet been clarified conclusively, the period of grace for implementation of the GDPR has passed. There is already a risk of fines for serious and clear violations, in particular of fundamental and undisputed requirements of the GDPR.
The absence of spamigation and the fact that no checks have yet been carried out by the authorities, do not mean that companies now have nothing more to do. On the contrary, they should continue to work resolutely on implementation of the GDPR requirements, in particular on their "GDPR Basic Compliance", as well as developing processes and resources to anchor data protection permanently within their organizations.