95% of sanctions are triggered by
personal data and consent offences

More than 80% of the total GDPR sanctions since 2018 to today concern “violations of substance”, i.e. personal data and Consent offences (mainly in Marketing and Sales activities through direct contacts and with e-commerce, CRM, email marketing tools) and only less than 20% concern “violations of form” with irregularities on governance or Privacy documentation. If we then analyse the various “triggers” that give rise to sanctions, we discover that more than 95% of them are linked to “violations of substance” caused by irregularities outside the company and contested by prospects, (former) customers, (former) employees/managers, competitors who complain about too many newsletters, inappropriate phone call or in any case the failure to respect their rights.

At the same time, companies are trying to protect themselves, but paradoxically without considering the primary cause that leads to the sanction, i.e. that trigger of the sanction that if it had not happened would have avoided it altogether. What emerges from the survey is that companies that have invested in GDPR governance very often fail to transfer the good intentions written on paper into action.

The risk/investment paradox

The risk/investment paradox: in order to protect themselves from sanctions, companies are concentrating their investments on Governance, which is the least exposed to sanctions, compared to violations of substance, which account for 95% of the sanctions triggers in Italy and Europe.

By preventing the trigger cause, the risk of sanction collapses

To achieve this, cyber security is indispensable but not sufficient. Cyber security has an ON/OFF approach to information protection and is designed with the company as the owner of the data. The GDPR reverses this perspective: the owner of the data is the citizen and it is (also) he who decides what to do with it. Data protection rules are nuanced and conditional: they depend on consents, expiries, oppositions and provide for restriction and erasure, logics that are alien to the protection that cyber security can offer. This is why it is essential to extend the stack of data security levels also with Cyber Data Protection tools, starting from the management of consents, with a second-generation Consent Manager.

So what is PrivacyOS

Find out why PrivacyOS is the most innovative Consent Manager on the market

Why keep the criticality of Consent management in-house
when it is better to outsource it to PrivacyOS?