4 lessons we learned from GDPR in 2018

February 5, 2019

In 2018, we have observed GDPR entering into force, the hectic efforts of companies to become compliant, and the first fines rolling in across Europe. What can we learn for the future from the first 8 months of GDPR?


  1. Get your data security basics straight: Encrypt passwords and implement logical access control

It has been generally accepted for some time that passwords should be sent over any network, in particular the Internet, only in an encrypted form (e.g., using HTTPS). As regards the unencrypted storage of passwords, IT security experts have long argued that this practice, too, poses an unacceptable security risks. The clear recommendation is therefore to only store passwords in an encrypted fashion.

The second basic data security rule is logical access control. This requires three distinct steps:

  • Identification: The user has to disclose his or her identity. Any system that allows users to log in using accounts such as “test” or “admin” already fails this basic requirement.
  • Authentication: The user’ s identity is verified, typically using one or two of the following three factors:
    • something that the user knows, such as a password
    • something that the user has, such as a key or token
    • something that the user is (i.e., biometrics).
  • Authorization: Once the user’s identity has been verified, the user is granted access only to the data that the user needs to perform his or her job duties (need-to-know principle).


  1. Cooperate with authorities

The case of from Germany proves that full cooperation with authorities may significantly reduce the financial penalty imposed. In particular in cases where the DPA will learn of the breach anyhow – e.g., because data breach notification requirements are triggered – full cooperation may reduce the overall regulatory risk significantly.


  1. “Old” types of violations will still be prosecuted

With the introduction of the GDPR, much attention has been put on cutting-edge technologies. However, the CCTV case from  Austria demonstrates that old-fashioned violations still matter. After all, old-fashioned technologies are well understood by data protection authorities, making them a low-hanging fruit from the enforcement perspective. Companies should therefore continue to keep an eye on “old” data processing operations, such as CCTV systems.


  1. Focus on Sensitive Data

The processing of sensitive data, for instance, large amounts of health data, is associated with a high enforcement risk. Given that the unlawful handling of such data is of great concern for large parts of the population, data protection authorities will assign a high priority to enforcement issues concerning sensitive data. When collecting large amounts of sensitive data, companies should therefore focus significantly on compliance with GDPR.

Latest Insights


One year of GDPR in review – fines, global momentum & technology

When the European Union’s General Data Protection Regulation (GDPR) entered into force on May 25th 2018, advocates of the new law promised…

Continue reading >

“Disguise ban” for forum posters might enter into force in 2020

According to the draft of a new regulation, it will be required from users of online forums, newspapers, but also platforms like Facebook to regist

Continue reading >

Optink joins weXelerate Batch 4!

Optink Team is delighted to announce that we have been nominated for Batch 4 of weXelerate Accelerator…

Continue reading >