Servus aus München!
Lifestyle, joie de vivre or "lebensart" — whatever you call it, Munich has it in spades. It might be down to the clear blue skies of June or simply the city's beauty, but one thing is for certain: The people of Munich always like to show their best side, whether they're in a beer garden, on one of the exclusive shopping streets, hanging out in the English garden (city park) or surfing the Eisbach River. Yes, you read that right: You can surf one of the rivers here, which is not something you see every day.
As you may know, IAPP President and CEO J. Trevor Hughes, CIPP/US, is spending a couple of months here in Europe, meeting and engaging with the European membership and privacy community at large. This week, we happen to be in Munich, and we have had some interesting meetings and conversations with senior privacy pros across different industries talking about the impact of the GDPR.
Germany has a long history of DPOs going back as far as the 1970s — so this is not a new concept for the Germans. Among the legal requirements — under the current legal Federal Data Protection Act — that have to be met by German employers is the compulsory requirement of an appointment of a DPO ("Datenschutzbeauftragter") for all companies that employ more than nine employees permanently engaged in automated data processing or at least 20 people who are engaged in nonautomated data processing. For the assumption of “automated processing,” it is already deemed sufficient that the respective nine employees render services by using a company computer. Thus, in practice, German law requires that most employers appoint a data protection officer.
Interestingly, more than one senior privacy pro told us that the DPO function has not always been highly regarded within German organizations; often, the role has been little more than an appointed administrative post with little or no influence on organizational strategy. Over the last years, this has started to change, with the emergence of a "new breed" of privacy pro, a "new and more dynamic crowd."
With the advent of the GDPR, times are changing. The law firms we spoke to say that demand for services is high. Moreover, the profile of a company looking for assistance with the GDPR has diversified into atypical client sectors, such as the food and agricultural industries. As in most countries, the trend is that the larger organizations are in full swing with implementation and generally have been since before the GDPR was adopted. It’s the midsize German companies and the SMEs that are only starting to look at the GDPR, requiring a range of activity, from legal advice through to full project implementation. The law firms often look to work in tandem with business consultancies to provide the full range of services: the law firms providing the legal structure and advice, while the consultancies provide the in-house GDPR project implementation. This seems to be an efficient model in terms of resource and cost deployment.
External outsourcing of the DPO services is increasingly commonplace here in Germany, even for those organizations with an existing DPO function. This is largely explained by the growing importance of the role and the changing nature of the responsibilities under the GDPR, as well as a clear deficit in skill sets in sitting DPO functions: Companies are seeking more support and assistance with projects.
We finished off our day with a Munich KnowledgeNet meeting focusing on the impact of the GDPR on HR data processing and employee data protection. Presentations were made by co-chairs Undine von Diemar, partner at Jones Day; Ulrich Baumgartner, partner at Osborne Clarke; and Gregor Thüsing, professor and director of the Institute for Labor Law and Social Security Law of the University of Bonn. Hughes gave a thought-provoking keynote on the question of the societal and the cultural importance of privacy in the modern era and its future, while also giving an update on the IAPP and our ongoing efforts to support the privacy pro with an emphasis on GDPR readiness.
It's clear that support is needed. We at the IAPP stand at the ready.
If you want to comment on this post, you need to login.