eco Association: German Business is Awaiting the GDPR with Bated Breath

  • Marketing decision-makers are working towards meeting the requirements of the GDPR before May
  • Only 13 percent of companies see themselves as being legally on the safe side

From May onwards, the General Data Protection Regulation (GDPR) will change the rules of the game for email marketing. But the companies who are really well prepared for it are the exception rather than the rule: Only ten percent have evaluated their processes with regard to the GDPR and adapted them accordingly; most companies (56 percent) are currently still working on this. This is the finding of a recent survey undertaken by the eco Association and ABSOLIT Consulting amongst 600 marketing decision-makers, representative of larger enterprises in Germany. “The decision-makers in companies now need to face up to the challenges and meet the new requirements in email marketing,” urges Dr. Torsten Schwarz, Head of the Online Marketing Competence Group at eco – Association of the Internet industry.

In any case, the survey shows that there is more than enough to be getting on with: a reliably verifiable consent for the receipt of advertising emails, such as a double opt-in procedure (DOI), is only available for every second email address. Nearly a quarter (22 percent) of email addresses that are regularly contacted have no or only legally inadequate consent. Many of those responsible do not yet know what will happen to these email addresses after 25 May. 47 percent still want to come up with a suitable procedure.

Half-baked solutions still widespread

Companies are more advanced in the area of transparency obligations. According to their own estimates, 73 percent already meet the requirements and provide their customers with comprehensive information about what happens to their data. 68 percent observe the principles of data minimization when it comes to generating new addresses for email marketing. 61 percent have already concluded the necessary agreements for order processing with all service providers.

The GDPR stipulates many new documentation obligations, which many companies have so far neglected, with indictable implications. Only 6 percent have implemented the written process documentation procedure prescribed by the GDPR. 30 percent of companies still have to implement processes for providing information, deletion, and correction of data – and there is still room for improvement in profiling: 29 percent still have to check their processes for the automated processing of personal data.

Companies run the risk of high fines

“Thus far, many companies seem to have only half-heartedly implemented the requirements of the GDPR,” says Dr. Schwarz. “In view of the short time remaining until 25 May, the topic is now at the top of the agenda.” This rings especially true, given that companies are well aware of the consequences of non-compliance: 81 percent are aware of the legal implications of an infringement of the GDPR regulations – be it fines of up to 20 million EURO or up to four percent of the worldwide turnover of the previous year. The companies, and especially the company data protection officers, have a lot of work to do in the coming weeks. Incidentally, an internal employee takes on this role in 57 percent of companies, while 35 percent employ an external service provider – four percent of the companies work without data protection officers.

Support in this area is provided by eco, the largest European association of the Internet industry. On request, it provides member companies with headquarters in Germany with an external company data protection officer. Among other things, this officer provides expert advice on the fulfilment of data protection requirements, trains employees and also conducts data protection audits. Companies thus fulfil their legal obligations. For its international members, eco can provide the expert know-how required for any company that has customers within the EU, regardless of where they are based. eco can also act as the EU representative for non-European member companies that are required by law to appoint one. Further information about the eco data protection services is available here

*335 large companies (over 500 employees), 143 medium-sized companies (200-500 employees), and 128 small and medium-sized companies (50-200 employees) were surveyed.