Lower Saxony: Improvement in compliance, but more work needed

Published on Wednesday, November 13, 2019 - 10:20 by Martin Fletcher

Last week the Supervisory Authority of Lower Saxony released the findings of a study it undertook looking at how businesses changed during the transition to GDPR.

The results show that the regulations have had some impact encouraging organisations to take data protection seriously. However, there are still areas that many businesses find difficult, which share a lot of similarities with what we see when working with clients in the UK.

In the study the Supervisory Authority selected 50 Data Controllers based in Lower Saxony (each German state has its own Supervisory Authority). All were involved in processing personal data of both staff and members of the public. 20 companies were selected from a list of the 100 largest businesses in the state, the other 30 were selected from medium sized employers. The study specifically chose not to look at small enterprises on this occasion.

In November 2017 the selected data controllers were asked to complete a self-assessment, covering organisational readiness for GDPR. The organisation was then asked to complete a second assessment at the end of June 2018 to find out where improvements had been made.

For both assessments, each data controller was given a compliance score of Red, Amber or Green. In November 2017 30 of the Data Controllers were given a Red rating, denoting areas of considerable non-compliance. 15 were rated Amber and 5 were rated Green.

Seven months later and a month after GDPR took effect the test was repeated, with a marked improvement seen across many of the organisations. 4 of the organisations previously rated Red had managed to jump up to Green, in total there were:

  • 9 rated Green
  • 32 rated Amber
  • 9 rated Red

While this does show movement in the right direction in terms of compliance, there is clearly still work that needs to be done. Across the organisations the Supervisory Authority found that data controllers were particularly struggling in the following areas.


Many organisations were either not completing DPIAs at all or they were not sufficient to achieve the required purpose of the assessment. Across UK businesses we can see a similar trend, with organisations often unclear when and assessment is required or how it should be carried out. DQM have worked with clients in a range of sectors including utilities, media and charities to implement processes for ensuring these assessments are taking place and personal data risks are managed.

Technical and Organisational measures

While Data Controllers did have some measures in place, the study revealed that the goal of these was largely to limit harm to the business rather than considering the impact on data subjects. While these things aren’t mutually exclusive, taking this attitude can mean prioritising areas incorrectly when making risk decisions regarding security. Analysing the impact that incidents could have on data subjects and demonstrating that this has been taken into account can help the organisation make smarter security decisions and justify them if/when something goes wrong.


In a close third place was another issue that has had many UK businesses scratching their heads, consent. The study found that in many cases information was unclear meaning that Data Subjects could not be considered to have given informed consent. Even where consent was informed, Data Controllers often fell down on not being able to make consent as easy to withdraw as to give. Cases of non-compliance relating to consent can carry particularly heavy fines from regulators in the event of a data breach.

Ongoing compliance

The study shows that GDPR has given Data Controllers a push towards processing personal data securely and fairly. However, there is still work to be done. In the case of the companies involved in the study, the Lower Saxony Supervisory Authority is continuing to provide ongoing support to those that scored Red. Doing this is helping to reveal some of the wide range of challenges that businesses struggling with data protection face and strategies to overcome them.

Find out more?

Leave your contact details below and one of our expert team will be in touch

We will only use the contact details you supply on the basis of our legitimate interest to respond to your query and contact you about DQM GRC. You will always be given the opportunity to opt-out from future communications. Please read our privacy policy for more details.


Find out more..

If you are interested in any of our services then please either use the contact form or contact us via of the methods below:

  •   Telephone
  •   E-mail

  •   +44 (0)1494 442900
  •   sales@dqmgrc.com