Who of you has no idea what GDP is. Okay. Thought so. And who of you? GDP? I experts has spent time on thinking about European data protection laws. Let's say five or six years ago. One where you from thought so brilliant. And that is one of the key aspects that I'm gonna talk about now when talking about GDP in practice is awareness. Because if GDPR has done one thing, it has raised awareness for data protection. Many of you will know that until that magic word of fines and penalties has been introduced into the world of data protection. It has been merely a paper tiger. Everyone knew there is data protection regulation in Germany. It might, or in Europe, it might even have been strict on paper, but the authorities were not really staffed. They did not really execute and enforce. And if you got caught, well, it might have been worth the investment with the new fines that has definitely become a difference.
And that obviously led to many, many horror stories of what would happen if at all the sun goes up on 25th of May, which it surprisingly has. So the world kept turning. And, but what we've seen is a lot of horror stories about lawsuit of a lawsuit hitting the mailboxes on the 25th of May or maybe 28th of people were really slow authorities coming with their SWAT teams, entering data centers and analyzing data processes and bringing already the fine letter with them. All of this has obviously not happened, but nevertheless, we've seen many, many strange consequences taken by people out of GDPR. Many non-profit associations have shut down their websites, individuals who were running personal websites complained, no I'm not gonna do that anymore. I might end up in prison and, and all of that stuff. And luckily, none of this has obviously happened. The politicians noticed that all of these horror stories mainly spread by lawyers.
I have to say we're really threatening the economic atmosphere and basically how everyone perceived business could be conducted in Germany. Can I still have an online platform? Can I conduct business online or would that ruin my business? And so the minister of inner affairs, and it was on the, on one of the main news pages in Germany on the 24th of May reached out to the data protection authorities and asked them to act with good judgment and not impose fines. As soon as they figure out a company might not be compliant. And that eased everyone, everyone a little bit, at least because politicians noticed that maybe they didn't really do themselves or the economic atmosphere big favor with GDPR.
But yeah, it has definitely led to a huge increase of awareness, both on the way up to the 25th of May. But also from, from that day on, I work for, for HRS group, we're a global hotel solutions provider. We do work with B2B customers, but also with just an B2C online booking Porwal some of you may have booked a hotel with us already. So we do have end consumer business as well. And during the period from 25th of May, to 2nd of June, we got 5,000 information and deletion requests from end consumers. We obviously were prepared and had a, a website where you could enter your data, identify yourself. And yeah, within a week there were 5,000 consumers requesting information about the data that we have about them or all data that we requested in total. As you can see from the headline, the authorities are swamped with work. They honestly a admit in newspapers that they cannot keep up, which also helps easing the atmosphere on, on the side of companies because you know that they will not come with their SW team.
They didn't hire SWAT teams. And they're basically trying to keep up with the complaints and, and requests that they receive. We've tried to, as a company to contact the data protection authority, that's responsible for us. And that's hardly possible. If you get through on the telephone, you can leave a voicemail. Emails will not be answered within two or three weeks. So they are totally swamped with work. And as you can see, the information commissioner office in UK has reached 6,200 complaints within five or six weeks. They had 2000, the whole 2017. So people really are aware of their rights and what they can do and what they should not accept. As you can imagine, these complaints are not always written by lawyers or legal experts. So they come in very different colors and very interesting wording sometimes. So this is definitely raising workload.
They tend to get impatient under GDPR. You have about have four weeks to respond to an information request. Luckily, we were up to speed, but I've heard from colleagues and other other companies who did not have an optimized process to handle those requests and therefore could not respond within four weeks. And after five weeks, they already had the first complaints from consumers who were then also informing the authorities that the information request has not been handled within that four weeks period. So people are very sensitive about that and they keep sending information requests and inter lesion requests.
So yeah, the key key aspect of that, or key key conclusion that you conclude is people are aware of the rights that you executed. GDPR is no longer a paper does not has led to a situation of data. Protection is no longer a paper tiger people make use of their rights. They ask questions, they request deletion. They follow up with that. And that use that leads to an incredible increase in the workload of people that are working in data protection also in data. So we, as a company, we are purely database basically. And we have at least, at least in our headquarter in cologne where we are 700 people, I would say at least 50 or 60 have been involved in data protection, GDPR compliance in the process to build and develop and handle those requests. They still are. Obviously, although we have achieved a status of compliance, there is still so many individual aspects that you need to deal with. As I said, these requests come in all shapes and colors. Some of them are not happy with the answer that they get with the format in which the information comes and all that stuff. So, yeah, you're in constant communication, both with, with the individuals, but also internally, it, it causes a huge, huge workload for, for everyone involved.
Yeah. This is not a revolutionary conclusion that you can draw, but if it has shown, if, if one thing has become clear, a clear recommendation is to maintain the momentum that all companies have picked up in the way up to 25th of May and keep working on data protection compliance and GDPR compliance. As I said, the GDPR project has led to an increasing workload on everyone's side, which was the same for me. So for many, many weeks prior to 25th of May, my focus in my daily work was data protection and many, many other things had to wait. People were understanding. I had the first email on 25th was a Friday. So on 28th of May, it's 11, 10:00 AM saying, hi, Tim. Now that GDP is over, you can surely help with this request, right? Yeah. That, that's the mindset that we need. And yeah, that that's exactly, it sounds funny, but it's indeed what many people think GDP is not a thing that came into fourth on 25th of Maine is over now.
It was, it was actually only the kickoff, I guess, to a whole new era of awareness for data protection of people making use of their right. And I think in the long term, this will indeed have, have an impact on how products and services will be displayed, how they will be perceived by customers. And I guess I mentioned that last year when I spoke at this conference, we use that term survival of the fittest for those companies who comply and those who don't. And I think it has absolutely shown to be the future that this will be the case. Only those who have processes in place and the right data protection mindset will be in a position to provide services and products that customers will be happy to, to pay for and to use. And all those who only give the slightest impression of not being in line with those requirements will not be successful in the market. So yeah. Conclusion is keep working on it, if you haven't yet, I'd recommend starting and yeah, that's a quick insight. We're gonna talk about GDP a lot more tomorrow in a workshop. That's it for now? So if you have any questions, shoot,
Yes, we have a couple minutes left.
If you're a us company, you know, with, you know, 10 or 15% of your revenue coming from the EU region, what would be your recommendation? Wait and watch how chips have fallen or start working on it right away.
Start working on becoming GDPR compliant. Yeah. As a, as a us company with yet not small
Person,
It's a risk based decision that you can do depending on how small that business is and what the, what the roadmap says for presence in, in Europe. I mean the, the amount of a fine will obviously always depend on the volume of a potential breach. But if, I don't know if we're talking a couple of thousand users and all of their data at once are being breached, that can be sensitive already. I would say, get familiar with the basic principles,
At least have an idea of what you would need to close the gap to compliance, but definitely not wait and start thinking about it when it's too late. So it, it definitely something where both consumers and authorities will not have any understanding the excuse well we're from the us. We didn't really think it would relevant to us that that's not gonna help on 27th of May, Facebook, Instagram, and WhatsApp, I guess, already at the phone's complaints in their letter box. So those were obviously the ones targeted first. I would definitely at least make a conscious risk decision and not wait and see.
Okay. I think we have time for one last question.
This kind of goes back to your presentation from WSO two, he mentioned pseudonym identity for data analytics, and then you remove the mapping of the identity to the pseudonym identity. But if I've collected enough information about you, doesn't that essentially equate to your identity and what do you think GDPR GDPR will do to address the analytics portion and the P anonymous identity mapping?
Yep. Yeah, that, that's a very good question. In the context of the definition of what PII actually is. So it's not only your blank name, address birthday, or whatever German data protection authorities have been very clear since a couple of years that also non-personal information in a sense as not directly identifying you, but gathered and aggregated in the right way can identify you. And this aggregation can then be considered as personal information. So just making personal information, pseudonym it in, in the sense of removing the directly identifying piece, but still aggregating, it will put you in the same spot and that it will just be within the scope of GDPR as, as personal information.
Okay. I think that's time there. Thank you, Tim.
Thank you.
