GDPR – Risk management rather than panic


A humorous and therefore not so serious view on dealing with the emerging GDPR panic…

Today is the 26th of May 2018 and the GDPR transition period has run out – now it is finally in place. The first coffee started working and I think back to headlines like “penalties up to 4% of group sales, 20 Mio. EUR” and simultaneously salutary promises such as “GDPR fit check” or “GDPR compliant with…” over the last couple of months.

The fact that there have been laws on data protection for the longest time and that they have been implemented in the same ways as the GDPR was mostly unmentioned. Isn’t it simply a risk to be reassessed?

Which factors should be used?
  • Group sales in EUR
  • Severity of neglect – so you know if you need to put 2% or 4% into your piggy bank. Data processing registers and technical as well as organizational measures among other things would need to be put on paper adequately – reporting obligations developed into processes – obtain approvals in a sufficiently clear form and appoint someone to Data Protection Officer, a function which has tenure and is not bound by directives.


Which probabilities of a possible examination by the data protection authority are included in the calculation?
  • Probability of the principle of chance
  • Probability due to lawfully reported data leaks. The criminal interest in my data needs to be juxtaposed to my data protection maturity level.
  • Probability due to complaints of violated rights

Resulting in a risk amount that suggests a decision and corresponding priority.


To emphasize the importance of the calculation in the in-house management, some details can be supplemented:
  • The penalty can be passed more than once
  • Recourse claims of the owners against the management
  • Compensation claims of angry victims
  • Image damage


This short, deliberately oversubscribed, not legally binding and hopefully humorous article should motivate you to find the right speed and depth for your privacy practices. It is based on the basic attitude of a proper businessman to comply with European regulations and a risk analysis that sets the right priority.

As a long-standing IT service provider, the ITSDONE Group is committed to IT security and data protection. The compliance with own specifications (ISAE3402) and legal regulations is a matter of course.

25 Jan
GDPR – Risk management rather than panic