When the GDPR came into force in 2018, the new and shiny data protection law was hailed as a shift towards stricter enforcement – ensuring that in the EU, the fundamental right to data protection does not only exist on paper. To mark this year’s Data Protection Day on 28 January, noyb conducted a survey among more than 1000 data protection professionals working in European companies. This provided a unique view from the inside: 70% of respondents believe that authorities need to issue clear decisions and enforce the GDPR to ensure compliance, while 74% say that authorities would find ‘relevant violations’ if they would walk through the door of an average company. In an attempt to move towards “evidence-based enforcement”, this research also shows that authorities would need to fundamentally change their approach to enforcement to get businesses to comply.
Serious enforcement has not delivered as promised. When it came into force in May of 2018, the General Data Protection Regulation (GDPR) promised a shift from the current ‘soft-touch’ approach to data protection to serious enforcement. In order to achieve this goal, EU politics provided authorities with serious investigatory powers and the option to issue large fines. According to a new noyb survey among more than 1,000 data protection professionals, most of the participants believe that the introduction of the GDPR has “significantly improved” the way companies handle personal data, but 74% still say that if authorities were to actually conduct an on-site investigation at an average company handling user data, they would find “relevant violations”.
Max Schrems, Honorary Chairman of noyb: “It is extremely alarming when 74% of company-internal data protection professionals say that authorities would find significant violations at an average company. Such figures would be unimaginable if it were a matter of complying with tax law or fire safety regulation. Non-compliance only seems to be the norm when it comes to users’ personal data.”
Objective insider data on GDPR compliance. In order to gain as much insight into the practical application of the GDPR as possible, noyb’s survey included 65 questions covering a range of topics in the area of GDPR compliance and enforcement. This allowed us to obtain reliable and objective data on the internal dynamics that prevent data protection officers (DPOs) from implementing measures to strengthen GDPR compliance, as well as external factors that could push companies towards more compliance in the future. Such data seems crucial to focus enforcement and compliance work on strategies that actually work and support the work of internal DPOs.
In conflict with marketing departments and management. Companies often operate in a conflicting space between the pursuit of profit, the costs of making their systems GDPR compliant and the obligation to comply with the law. noyb's survey clearly shows that DPOs are under pressure to limit GDPR compliance in the interest of business: 46% of respondents said that sales and marketing were actively pressuring them to limit compliance, while 32% felt pressured by members of senior management. Unsurprisingly, convincing these stakeholders to make the necessary changes to improve compliance is also proving quite difficult. A shocking 56% of respondents said it was difficult to convince the marketing department while 38.5% had problems with senior management. 51% also said that it is difficult to convince non-EU/EEA suppliers to provide compliant products to EU business customers.
Max Schrems: “DPOs are supposed to be independent and ensure compliance from within the company.In reality, many of them report pressure from various sides to prioritise business interests.”
Evidence-based enforcement: fines and reputational damage. The severe lack of clear enforcement action by the authorities doesn’t help DPOs to do their job. According to the survey results, a company is most likely to improve its compliance when it - or even other companies - face significant fines. 67.4% of respondents said that DPA decisions against their own company that include a fine will influence decision makers to opt for more compliance. Interestingly, 61.5% of respondents said that even DPA fines against other organisations would influence their own company’s GDPR compliance. This effect (“deterrence”) is well known and studied, but not really used by authorities. The next best tool seems to be the publication of decisions. 52% said that another company’s loss of reputation already has a positive effect on their own company’s compliance. However, many authorities currently do not publish their decisions (e.g.,Germany) or only publish them selectively.
Max Schrems: “The advice from data protection professionals within companies seems to be: ’impose high fines and make them public’. The common approach of relying on ‘informal’ negotiations between authorities and companies and secret procedures seems to be the least effective according to company insiders.”
EDPB guidelines or case closures are not influential. While authorities invest considerable effort, time and resources in providing guidelines to companies, they appear to be largely ignored by businesses. 46% of respondents said that EDPB guidelines are not influential, while only 23% found them somewhat influential. Similarly, insiders rate direct complaints with companies as not very influential. This is in contrast to complaints to DPAs and the informal closure of cases (currently the most common form of decision). Despite all the indications that there is an urgent need for strict enforcement, in practice such actions by DPAs are the exception. This is easily illustrated using noyb’s own work: Most of our more than 800 cases have been pending for more than two years. But even if you only pick out cases that noyb has won, there are just a handful of decisions that include a fine. In more than 800 cases, we have not seen a single authority actually carry out an on-site inspection of a company.
Max Schrems: “In recent years, European authorities have produced numerous guidelines and engaged in lengthy ‘informal’ discussions with companies and then ‘close’ cases without further action. Judging from the feedback of compliance officers, this is unfortunately not the best use of taxpayers’ money.”
Insiders’ view still more positive than users’ experience. Although the insiders’ view is already alarming, it is still more optimistic than the average experience of data subjects would allow. For example, when noyb exercised the right of access to personal data, more than 90% of requests weren’t fully answered on time. Most requests are simply ignored. By comparison, 59% of respondents believe that most companies would “mostly” comply with the GDPR’s “core rules”. Practical experience suggests that the the outsiders’ view may be even worse than the insiders’ view.
The only way out: “evidence-based enforcement”. If the respondents are to be believed, the only realistic solution to this this problem is clear: tougher enforcement and clearer DPA and court decisions that force companies to bring their data processing into compliance. A full and detailed list of suggested actions can be found in the study. The results also show the urgent need to gather further objective evidence to ensure that authorities (can) engage in effective enforcement work given limited resources. Repeating approaches that do not work won’t lead to practical changes on Europeans’ phones and computers. The data collected in our survey provides an excellent starting point for further research. noyb will engage in further research as well.