Even one year after the end of the transitional period, German companies still have a lot to do to fully meet the requirements of the General Data Protection Regulation (GDPR). According to a recent survey by TÜV SÜD, around one third of those surveyed said that their company had implemented the necessary measures only partially (29%) or not at all (6%).
"Despite initial fines, the initially feared broad wave of warnings has so far failed to materialise. But in the meantime, the supervisory authorities of individual federal states in Germany such as Baden-Württemberg have announced stricter controls," says Andreas Rübsam, Director Data Protection at TÜV SÜD Sec-IT GmbH. "The good news: Even if you have done too little or nothing at all in your company, it's never too late to start. You should at least get an external consultant." According to the survey, some companies have already done just that (34%) or partially (24%) to get fit for the GDPR.
Employees are often not sufficiently trained
Only slightly more than half of the decision-makers surveyed stated that their company had previously appointed a data protection officer. "Although this is only mandatory for ten or more employees, many do not know that the responsibility for implementing the GDPR lies entirely with the company management," says Rübsam. There is also a lot of catching up to do in the area of employee training. Only 44% of those surveyed stated that the workforce in their company had received sufficient training in GDPR.
The ten most important points on data protection
"The following ten points cover the most important areas of data protection," explains Rübsam. In concrete terms, these are: The training of our own employees, information for customers, a data protection declaration on the website as well as a review of the security of our own website, a directory of data processing activities, regular data backups, observance of data subjects' rights (information, deletion), contracts for order processing, marking of video surveillance and reporting of data breach.
After a two-year transitional period, the General Data Protection Regulation entered into force one year ago on 25 May 2018. It regulates EU-wide the processing, storage and disclosure of personal data by public authorities and private companies, e.g. through information duties and rights of access of the data subjects. If they are violated, companies risk fines of up to 20 million euros or up to four percent of their worldwide annual turnover.
The data used is based on an online survey conducted by YouGov Deutschland GmbH in which 531 company decision-makers participated between 6 May and 10 May 2019. The results were weighted and are representative of the proportion of employees per company size.
The graphs with the survey results are available for download here: graphic 1 [ JPG 1441 kB ]and graphic 2 [ JPG 1414 kB ]
You can find comprehensive information on the subject of data protection in accordance with GDPR, external data protection officer, audited order processing and certified data medium destruction at TÜV SÜD Sec-IT https://www.tuvsud.com/en/services/cyber-security/data-protection.
TÜV SÜD Academy offers a data protection portal and training courses on the subject of data protection at https://www.tuev-sued.de/academy.
Press contact: Sabine Krömer