The E.U.’s General Data Protection Regulation (GDPR) entered into force just over one year ago. While the surge in fines that had initially been expected failed to materialize, the most fines by far, according to EY Law, have been imposed in Germany. Likewise, the future will bring additional risks as well. However, by having the right IT configuration, these can be reduced significantly.
According to EY Law, 42 fines were imposed and 54 warnings issued in Germany during the GDPR’s first year in effect. While the overall number of cases is small, one thing is clear: More penalties were levied in Germany than in any other E.U. country. There was a significant gap between Germany and Latvia (2nd place) as well as France (3rd place), where fines were levied in 12 and ten cases, respectively. There were also reports of penalties for violations in the Netherlands, where a total of 1,018 warnings were issued. However, there was only one fine in one instance, though, coming in at €600,000. It was the highest one laid down in the E.U. No fines were imposed in nine of the 16 countries for which data is available, and no warnings were issued in six E.U. member states.
Continuous vigilance is necessary
One year later, the impact felt from the GDPR has been moderate in scope. The sanctions imposed were well below figures previously feared. This was especially true for small and medium-sized businesses (SMBs). Without a doubt, one of the main reasons for this relates to massive efforts to ensure compliance with the GDPR taken within the European Union. Among others, many methods related to the handling of personal data have been reviewed and modified as necessary. We will also see how much the grace period granted by the regulatory authorities played a role here, which EY Law believes contributed significantly to keeping fines down.
- The consultancy believes that European supervisory authorities will impose heavier fines in 2019. Making reference to statements made to this effect. E.g., the Data Protection Authority of Bavaria for the Private Sector will monitor tracking more closely.
- An EY survey of the relevant authorities highlights the fear that a tougher line will be taken going forward. According to this survey, 82 percent of those surveyed expect higher fines and other penalties.
Customized IT systems remain the cornerstone of GDPR compliance
Matrix42 believes that IT systems that can be configured and customized to meet the respective user’s needs will be key to ensuring compliance with the GDPR now and in the future. The investments initiated prior to the GDPR are one of the main reasons for the low number of fines. Along those lines, companies are increasingly relying on software that automates processes and supports compliance with the regulation. In addition, systems contain features to limit the work involved in publishing or deleting data, for example.
Challenges persist for IT departments
From an IT department’s perspective, it is important to continue to observe corresponding standards for compliance with the GDPR. Taking into account the existing IT environment. Regular assessments and changes will continue to be necessary for the future as well. Central management of
application and resource compliance is crucial, including e.g. when onboarding and offboarding employees. If at all possible, this process should be an automated one. In addition, it is necessary to mitigate the risk of over-licensing on cost grounds. Along with that, IT needs processes with which licenses can be issued as required. For that reason, IT departments need to constantly focus on a number of issues:
- Expansion of process standards, also with regard to cloud applications
- Integration of data and processes into the existing infrastructure
- Preventing Shadow IT from developing
- Automation of employee offboarding processes
- Ensuring role-based access to applications
- Addressing the risk of over-licensing
- Regular data checks
Companies that verify the storage and deletion of data early are at an advantage over those that don’t. By doing so, two persistent requirements – data governance and compliance – can be satisfied at all times.