In the first half of the year, the GDPR (General Data Protection Regulation) has had many minds working overtime. Not few enterprises have invested not only nerves, but also a lot of time and money into the implementation. And nevertheless much was still unclear up to the entry into force of the GDPR on 25 May 2018. And today? Have all the bad fears become true We take a look back over the last few months as well as pointing out what advantages the GDPR can bring you in the future.
Let's start with the good news. On May 25, 2018, the world neither came to an end nor was there a comprehensive wave of warnings issued against companies. However, the GDPR has been the number 1 topic of the year - and it is still today, even if it is not quite so completely omnipresent in the media any more. Since the announcement of the definitive version of the revision in January 2016, some companies have been systematically preparing for it. Others have done a real sprint to the finish, and at the last minute were trying to make their company GDPR compliant - which often turned out to be harder than they expected. According to the guidelines, companies that are subject to the GDPR are under threat of hefty fines (up to 20 million euros or 4 percent of annual sales!) if they violate them.
It is no secret that countless cyber attacks, many of them successful, take place every day; and it is more than likely that data protection breaches will occur. But what have been the consequences for companies since it came into force? Or were the stress and worry for nothing? It is a fact that many companies today still do not know exactly what to do and what not to do according to the GDPR regulations. Do I need to report this incident? How should I document it to be GDPR compliant? What do I need to consider in terms of marketing actions? Putting the theory into practice is not that easy.
GDPR – A mid-term review
As Switzerland is not in the EU, the thing we have available to us is the experience of neighbouring countries, in particular Germany. However, there are also many Swiss companies that are affected by the GDPR, which is why some of these experiences certainly apply to us as well. The GDPR means that the supervisory authorities of our neighbour to the north certainly have their hands full. But this is not because there are a large number of breaches, but because companies are overburdened with the guidelines and are still seeking advice.
Where are we with the great GDPR crisis?
Fortunately, the much-feared wave of warning has failed to materialise. However, this is also due to the fact that the supervisory authorities themselves are still at the warm-up stage. According to a German market research, 91 percent of the companies surveyed have not yet received any warnings. In Switzerland, given the reasons mentioned above, there will be even fewer companies. However, a good 44 percent (!) expect to receive a warning sooner or later. If that isn’t a good reason to get ready, what is?
Even small (GDPR)cattle make a mess!
Of course, especially at the start, there is still a lot that is unclear. (More or less) small infringements are the norm. These are the most common infringements - so an opportunity for you to learn:
- Incorrect or even non-existent data protection declaration: One of the important things here is that when tracking tools (such as Google Analytics) are used, they are listed in the privacy statement, providing the behaviour of EU users is also recorded. Do you think you aren't affected? You're wrong about that because nearly all the companies that are using tracking tools of any kind are subject (even if involuntarily) to the GDPR. Because what company will block their website to non-Swiss visitors? The reference to the right to object in the privacy statement is equally important.
- Failure to encrypt contact forms (this includes, for example, forms for newsletter registration): the tried and trusted solution here is SSL (Secure Sockets Layer) or TLS (Transport Layer Security). This encryption is also used with HTTPS.
- A missing opt-out option: Users must have the option of unsubscribing from notifications such as newsletters at any time.
- Lack of IP anonymization: To prevent the IP address from being assigned to a user, the IP address must be made anonymous, for example by making the last numbers of the IP address unrecognisable (Google code extension "anonymizeIP"). The accuracy of geographical reporting is slightly compromised by falsifying the IP address. Nevertheless, you get all the important data needed for analysis.
GDPR as a competitive disadvantage
It's mainly the smaller companies that have reduced their digital offering as a result of the GDPR. Why have they done so? On one hand, it’s because of the increased effort, on the other hand, because of the additional costs. This is because small companies have to meet the same requirements as large ones. However, they simply lack the means to equip themselves to be GDPR compliant. You can imagine for yourself what this can mean in economic terms for companies like these...
The gold-plated flip side of GDPR
We maintain that the GDPR is taken seriously - but not always understood. So it is not surprising that the compliance requirements have not yet fully met by many companies. And if Gartner is to be believed, even at the end of 2018, still over 50 percent of companies will not be GDPR ready. So you need to make sure that you are not part of this 50 percent! However, just like companies, the authorities are still struggling with the new regulations, which is also a reason for the only slight surge in warnings.
Are you among the people who have done their homework and implemented all the requirements? Even if the sanctions have been limited so far and only a few companies have been fined, the effort has definitely paid off: It’s always worth the effort. Why? I'll show you why!
- GDPR is a valuable tool for implementing your digitisation strategy. This is because strong data protection is more important than ever, it creates transparency and customer confidence and guarantees you have a serious attitude.
- Thanks to the GDPR, finally many companies have had a long overdue spring clean and have dealt intensively with the subject of data protection. This can also be of help to you with your Cyber Security.
- If you have had to consult with GDPR experts, this would have been an expensive but more than sensible investment, because as a result, the business processes have been examined by a security expert and so can be optimised.
- If you have an online store, under GDPR, guest ordering must be now offered as an option. This can increase conversion - some consolation for those mourning lost customer data.
- Internationally, the GDPR has become a strong symbol for the importance of data protection. Other countries are now following suit and are increasingly addressing this issue, for example, the USA and Japan. Switzerland will also be revising its data protection law, (probably) by the end of 2019.
- Due to globalisation, the harmonisation of standards in the EU has long been invalid. This not only creates transparency and increased protection, but also makes work easier in the long term, and it reduces disadvantages linked to location and barriers to innovation.
- And finally, there is one economically important advantage from which all companies will stand to benefit - improved business processes. GDPR requires data to be compiled, organised and managed in accordance with regulations. This can make collaboration much easier, streamline processes, reduce inaccurate data entries and increase productivity, making tedious document searches a thing of the past!
The GDPR as a perennial partner
Even if we don't like saying it (because cyber security and data protection should NEVER be ignored), you still have time. But the clock is ticking much faster now, because cyber attacks can hit anyone at any time - be it in 2 days, 2 months or even in 2 years. One thing is for sure - that every company either is now or will become a target for cyber criminals. So if you're still not GDPR ready, you need to speed things up! And to all those who have their data protection under control - don't rest on your laurels, and stay on the ball. The issue of data protection remains omnipresent and presents constant challenges - exactly like cyber security.
GDPR Web Audit for double security
Data protection is not only an important issue; it is also a complex one. Here real know-how is in high demand, especially from an expert! Already, as is the case with GDPR there are many details lurking that can become your downfall. InfoGuard offers you a simple solution for staying on the safe side with your GDPR compliance. Our GDPR Web Audit uncovers any remaining security gaps in applications and infrastructures that are critical to data protection. In addition, we check the effectiveness of the security measures you have implemented. More details about our GDPR Web Audit can be found here: