The central question for companies is: how will the authorities behave? Will I be controlled? And can I be held accountable by an EU authority?
With the GDPR, the legislator has also put the authorities in a difficult situation, since it gives the authorities considerably more power to control and sanction. However, little thought has been given to the effects and what this will mean for the authorities’ resources.
If all serious and allegedly serious data protection breaches (of which there are likely to be more) were to find their way to the authorities, it would be hopelessly overrun. The EU authorities have in some cases hired hundreds of additional employees, but this is unlikely to be enough to process the expected volume. The high fines signal that the authorities mean business and so it is to be expected that companies will report more breaches than necessary in order to avoid risking a heavy fine.
Recognizing this situation, individual EU authorities have stated that they would not be proactive, at least initially. Nevertheless, they must comply with their legal obligations in the event of actual breaches of data protection laws. Their limited resource situation will therefore force them to prioritize and it is to be expected that at the beginning, the focus will be on the very difficult cases.
In order to be able to handle all other cases, the authorities will have three options:
- Stretch the time to process the cases
- Create alternative and sufficiently efficient processes
- Tasks to third parties (e.g. accredited auditing companies)
There is still some range for companies to implement GDPR measures at the outset. However, if complaints come in, the authority and the company must take action. The minimum readiness listed above is therefore necessary.
Over time, however, the legally possible proactive activities will certainly also take place. It can also be assumed that fines will be a means of financing the many new officials in the future. Therefore, the establishment of a solid data protection compliance framework is indispensable in the long term.