Servus from Munich!

Bavarian Data Protection Commissioner Thomas Petri opened this year’s IAPP DPI: Deutschland privacy conference in Munich and spoke about the challenges of the public sector to meet the requirements under the EU General Data Protection Regulation. He also highlighted the need to further align its practical implementation and passionately spoke about the benefits of the GDPR for citizens in dealing with public authorities, as well as the need to provide more public information on this topic.

With bilingual tracks in German and English, privacy pros from across Europe discussed the practical implementation and enforcement actions under the GDPR.

One of the topics discussed with Thomas Kranig, president of the Bavarian Data Protection Authority supervising the non-public sector, Stefan Brink, commissioner for Data Protection Baden-Württemberg, and Barbara Thiel, commissioner at the State Commissioner for Data Protection Lower Saxony, was the use of web-tracking tools.

Kranig underlined the position of the German DPAs that the use of any tracking tools collecting information of website visitors for functions like re-targeting or cross-device tracking would require prior documented consent before being deployed. He also confirmed that he has started legal proceedings on companies in Bavaria on this topic and intends to issue fines on those companies in the near future.

Thiel provided insight into her ongoing legal investigations, currently running health checks on the overall privacy status of about 50 companies. She highlighted that companies seemed to struggle especially with meeting minimum IT security standards and to properly conduct privacy impact assessments. On a separate session, she shared more insight on how to meet the requirements under Article 35 of the GDPR, which was followed by Oliver Draf, chief privacy officer of Volkswagen AG, presenting details of the VW PIA on autonomous driving.

Brink outlined his perspective on the recent decision allowing DPAs to prohibit the use of Facebook Fan Pages in Germany.

On the English language panel, Helga Þórisdóttir, the data protection commissioner for Iceland, Anu Talus, from the Office of the Data Protection Ombudsman, Finland, and Piotr Drobek, Personal Data Protection Office, Poland, spoke about the enforcement actions in their respective countries and efforts to support and assist DPOs and privacy pros at large.

As with last year’s event, the session with DPOs speaking to their experience with the GDPR over the last year caught the attention of the attendees. With privacy leaders from Birkenstock, BMW, Cerner, Fresenius, Garmin, IBM, PSI Cro and Swiss Re, the audience had vivid discussions on the key learnings for these organizations.

With the industrialization of the privacy profession as a whole — especially in the last two years — the current focus as shared by attendees is squarely on practical implementation. It was noticeable that one year on from the GDPR, there was a greater sense of confidence with the regulation, and attendee questions have become increasingly specific and practical in nature. However, as privacy pros, we should always have in mind the values we stand for and represent, as well as the goals we are aiming to achieve with privacy regulation and its implementation.

I look forward to continue this discussion at the IAPP Europe Data Protection Congress in Brussels Nov. 20-21.