Data Protection Day: 74% of experts say DPAs would find “relevant breaches” in most companies if they investigated.
When the GDPR came into force in 2018, the new, shiny data protection law was hailed as a move toward stricter enforcement in the EU, ensuring that the fundamental right to data protection does not exist only on paper. it was done. To commemorate Data Protection Day on January 28th this year, Noib conducted a survey of over 1,000 data protection professionals working in European companies. This provided a unique view from the inside. His 70% of respondents believe that authorities need to make clear decisions and enforce the GDPR to ensure compliance, while 74% believe that once authorities get through the government door, It said it would find “related violations.” Average company. The study also shows that authorities need to fundamentally change their enforcement approach to get companies into compliance, in an attempt to move towards “evidence-based enforcement.”
Serious crackdowns have not been carried out as promised. The General Data Protection Regulation (GDPR), which came into force in May 2018, promised a shift from the current “soft-touch” approach to data protection to full-scale enforcement. To achieve this goal, EU politics has given authorities serious investigative powers and the option to impose large fines. According to the new Noib A survey of more than 1,000 data protection professionals found that while most participants believe the introduction of GDPR has “significantly improved” how companies handle personal data, 74% still believe Unsurprisingly, even if the authorities actually conducted an on-site investigation, they answered. The average company that handles user data will find “related violations.”
Honorary Chairman Max Schrems Noib: “It is extremely concerning that 74% of data protection professionals in companies say that in the average company, authorities would discover significant violations. , such numbers are hard to imagine. It is only when it comes to users’ personal data that non-compliance is commonplace.”
Objective insider data on GDPR compliance. To gain as much insight as possible into the practical application of GDPR. NoibThe survey includes 65 questions covering a variety of topics in the field of GDPR compliance and enforcement. This provides confidence-inspiring information about internal dynamics that are preventing data protection officers (DPOs) from taking steps to strengthen GDPR compliance, as well as external factors that may push companies toward greater compliance in the future. We were able to obtain highly objective data. Such data is likely to be critical for focusing enforcement and compliance efforts on strategies that actually work and support the work of in-house DPOs.
They are in conflict with the marketing department and management. Companies often operate in conflicting territory between the pursuit of profit, the cost of making their systems GDPR compliant, and the obligation to comply with the law. Noib‘s research clearly shows that DPOs are under pressure to limit GDPR compliance in the interest of their business. 46% of respondents said they felt active pressure from sales and marketing to limit compliance, and 32% said they felt pressure from senior management. Not surprisingly, convincing these stakeholders to make the necessary changes to improve compliance has also proven extremely difficult. Surprisingly, 56% of respondents said they had difficulty convincing marketing departments, and 38.5% said they had problems with senior management. Additionally, 51% say it is difficult to convince non-EU/EEA suppliers to provide compliant products to EU business customers.
Max Schrems: “DPOs are supposed to be independent and ensure compliance from within the company. In reality, many DPOs report that they are under pressure from various quarters to prioritize business interests. Masu.”
EEvidence-based enforcement: Fines and reputational damage. DPOs are unable to carry out their duties due to a significant lack of clear enforcement action by the authorities. Research shows that companies are most likely to improve their compliance when they or another company faces a large fine. 67.4% of respondents said that DPA decisions, including fines against their organization, influence decision-makers’ further compliance choices. Interestingly, 61.5% of respondents said that even their DPA fines for other organizations would impact their company’s GDPR compliance. Although this effect (“deterrence”) is well known and studied, it is not utilized in practice by authorities. The next best tool seems to be the publication of decisions. 52% said that other companies’ reputational damage is already having a positive impact on their company’s compliance. However, many authorities currently do not publish their decisions (e.g. Germany) or do so only selectively.
Max Schrems: “The advice from in-house data protection experts seems to be, ‘Impose large fines and make them public.’” Company insiders say “informal” negotiations between authorities and companies and Common approaches that rely on secret procedures appear to be the least effective. ”
EDPB guidelines and case resolutions have no effect. Although authorities invest significant effort, time, and resources to provide guidelines to businesses, businesses appear to largely ignore them. 46% of respondents said he had no influence on the EDPB guidelines, and only 23% said he had some influence. Similarly, insiders rate direct complaints against the company as having less impact. This is in contrast to complaints to the DPA and informal closure of cases (currently the most common form of decision). Despite all indications that strict enforcement is urgently needed, in reality such measures by the DPA are an exception. This can be easily explained using: Noib‘s own works: most of our works More than 800 items It has been pending for over two years. However, even if we extract only the relevant cases, Noib Even if they win, only a handful of sentences include fines. In over 800 cases, I have never seen authorities actually conduct an on-site inspection of a business.
Max Schrems: “In recent years, European authorities have developed a number of guidelines and, after lengthy “informal” consultations with companies, “resolved” cases without further action. Judging by compliance officer feedback, this is unfortunately not the best use of taxpayers’ money. ”
Insider views are still more positive than user experiences. Insider views are already alarming, but they are even more optimistic than the average experience of data subjects allows.For example, when Noib Despite exercising the right to access personal data, more than 90% of requests were not answered in a timely and complete manner. Most requests are simply ignored. In contrast, his 59% of respondents believe that most companies will “mostly” comply with the “core rules” of the GDPR. Practical experience suggests that the outsider’s view can be even worse than the insider’s.
The only solution is “evidence-based enforcement.” If the respondents are to be believed, the only real solution to this problem is clear. That means stronger enforcement and clearer DPAs and court decisions that force companies to bring their data processing into compliance. A complete and detailed list of recommended actions can be found in the study. The results also show that there is an urgent need to collect further objective evidence to ensure that authorities can engage in effective enforcement efforts with limited resources. Repetition of ineffective approaches will not bring real change to Europeans’ mobile phones and computers. The data collected in our study provides an excellent starting point for further research. Noib We also plan to conduct further research.
