The EU General Data Protection Regulation
Data protection is going to get expensive: The EU General Data Protection Regulation is on its way.
Data protection is considered important, the Federal Data Protection Act is well established and German companies really should be absolute experts in data protection by now. However, a quick reality check shows that data protection is not quite as advanced as it might seem either due to lack of knowledge or deliberately ignoring data protection and profiting from selling customer data. Some readers may however take comfort that data protection is taken somewhat more seriously in Germany in comparison to the rest of the world where privacy and data protection issues are not even considered by decision and policy makers.
Although violating data protection legislation in Germany attracts a financial penalty, the fines are not high enough to scare off particularly large companies who are callous with personal data. Currently fines of EUR 50,000 are imposed for violations of Section 43 (1)(1) of the Federal Data Protection Act in Germany and EUR 300,000 for violations of Section 43 (2) of the same act. In the past, higher penalties could only be enforced if the perpetrator had gained financially from the violation. There have only been a handful of situations where this has been the case such as one of the highest ever fines of EUR 1.46m imposed on 35 Lidl sales companies.
Now the situation is changing with the EU General Data Protection Regulation which has already come into force but has a transitional period until May 2018. In Germany this replaces the Federal Data Protection Act, state data protection legislation and the EU Data Protection Directive 95/46. This also means changes to the previous maximum penalty of EUR 300,000. Article 83 Paragraph 4 of the EU General Data Protection Regulation stipulates a maximum penalty of EUR 10 million and a maximum of EUR 20 million or 4% of international annual turnover may be charged under Article 83 Paragraph 5 and 6 of the same act.
Consequently, the so far rather toothless state data protection commissioners will soon have more bite than a grown saber-tooth tiger. There are still some loopholes left in how annual international turnover can be calculated but one thing is for sure: Data protection is about to get more expensive than ever before, especially as consumers are becoming more aware of how companies are using their data. A current study conducted by the Kantar Eminid market research institute shows that data protection is of utmost priority for shopping apps. In this category, 85 percent of users see confidential handling of personal data as their top priority. If the authorities now start to ramp up their capacity for dealing with regulatory violations, data protection will quickly change from another compliance box to tick to a key area in information security which demands due attention.
Data protection needs information security and information security has been brought to the forefront of strategic considerations as a critical issue for all organizations over the last few years. Organizations which take IT security seriously can also provide data protection. This begins by defining processes correctly and also includes evaluation and categorizing assess, implementing technical and administrative protection measures and promoting employee awareness. It goes without saying that a Virtual Private Network should be part of any solution for securing remote access and also ensures data protection when communicating with mobile devices.