72% complain that we are overdoing it with data protection in Germany, compared to 64% a year ago. And as many as 77 percent say that data protection is hampering digitalization in Germany (2024: 70 percent). “We should take this assessment by companies seriously and enable both effective and practicable data protection for the digital society. With the digital omnibus, the EU Commission has initiated important steps to reduce everyday problems in dealing with data protection. But the structural hurdles remain,” says Susanne Dehmel, member of the Bitkom Executive Board. “There is legal uncertainty in many sectors, for example when it comes to consent, which not only has to be documented, but also formulated and checked in a legally compliant manner. The multitude of complex data protection regulations creates time-consuming and sometimes bureaucratic processes in companies. There is an urgent need for clarity and relief here.”
Ongoing data protection construction site
For companies, the biggest challenges in implementing data protection requirements are the fact that this process is never completed (86%) and the uncertainty surrounding the exact requirements of the GDPR (82%). In addition, there are recurring checks when rolling out new tools (77%). This is followed at some distance by what companies consider to be generally excessive requirements (69%), inconsistent interpretation within the EU (54%), a lack of advice from supervisory authorities (54%), conflicting legal requirements (53%) and inconsistent interpretation within Germany (37%). “Companies are experiencing a constant burden from data protection, which ties up scarce resources that are lacking elsewhere,” says Dehmel.
But there are also challenges within companies, especially the time required for necessary IT and system changes (50 percent) and the effort involved in making employees understand the complex requirements (46 percent). In addition, there is a lack of qualified employees for data protection implementation (38%), a lack of financial resources (31%) and insufficient involvement of data protection officers (25%). At the bottom of the list was a lack of support for data protection within the company (12%).
Where companies want improvements to be made to the GDPR
These are also the areas where companies would like to see improvements to the GDPR. Around three quarters want the obligation to document processing activities to be reduced (76 percent) and the prohibition with reservation of permission to be abolished (73 percent). Six out of ten companies are in favor of simplified use of pseudonymized data (63%), mandatory, more practical advice from the supervisory authorities (62%), more legal certainty when weighing up interests (61%) and fewer information obligations (60%). For 54%, more data processing should be made possible without consent, while 53% would like to see a reduction in the amount of checking required for data protection impact assessments. A third (33%) would like to abolish the obligation to appoint a data protection officer. “Companies want to make the GDPR practicable after seven years,” says Dehmel. “Data protection must be understandable and applicable.”
The wishes reflect where the greatest effort is currently required to implement data protection in companies. For 73 percent, this is the obligation to document processing activities and technical implementation (69 percent). This is followed almost equally by the clarification of legal requirements (57%), coordination with external service providers (54%) and the fulfillment of information obligations (53%). 43% cite safeguarding the rights of data subjects, 36% each cite employee training and the assessment of data protection violations, 33% the development of internal data protection skills and 25% the appointment of a data protection officer. No company states that it is free of data protection problems.
For and against a central data protection authority
However, it is not only the data protection rules that are seen as in need of reform; there is also criticism of the supervisory authorities. Around two thirds (69 percent) of companies complain that the German data protection authorities apply the GDPR too strictly. One consequence: companies are overdoing data protection for fear of violating the GDPR (62%). A small majority of companies are in favour of centralizing data protection supervision at federal level. 53% are in favor of the proposal, 42% are against it. “The discussion about a reform of data protection supervision in Germany is important. In view of the many challenges facing companies, we need to make the best possible use of the authorities’ resources and, in particular, ensure good advice and uniform interpretation and enforcement,” says Dehmel.
A quarter of companies report data protection violations
Data protection violations usually have consequences in companies. A quarter of companies admit to them for the past twelve months. 19 percent had one breach, 6 percent had several. 59 percent had no data protection breaches, 16 percent do not want to or cannot provide any information. 57 percent of the companies that had data protection breaches reported them to the supervisory authority, 29 percent did not report them and 14 percent do not want to or cannot provide any information.
Around one in two companies with data protection breaches described them as very serious (16 percent) or somewhat serious (32 percent). For 23 percent, they were not very serious, for 19 percent not serious at all and one in ten (10 percent) cannot or do not want to provide any information. When asked about the consequences of the biggest data protection breach of the past twelve months, 93% cite organizational costs. This is followed at a clear distance by a fine (51%). 18% lost customers, 7% had to pay compensation and 7% also suffered reputational damage. For just 5 percent, there were no consequences at all. “Breaches of data protection are not without consequences, they have consequences,” says Dehmel.
Data protection slows down artificial intelligence
With regard to artificial intelligence, companies are increasingly critical of the role of data protection. 7 out of 10 companies (71 percent) are calling for data protection to be adapted to the age of AI. For more than two thirds (69 percent) of companies, data protection makes it difficult to train AI models. A year ago, the figure was only 50 percent. And 63% believe that data protection is driving companies that develop AI out of the EU (2024: 52%). 57% say that data protection generally restricts the use of AI in the EU (2024: 57%) and data protection hinders the use of AI in 54% of companies (2024: 52%). Conversely, 58% also believe that data protection creates legal certainty in the development of AI applications (2024: 53%). “Artificial intelligence is the key technology of the future and AI needs data. Data protection regulations should also be reviewed with a view to Germany’s position in the future world of AI,” says Dehmel.
Wishes for politicians: simple rules and less bureaucracy
The companies have a number of wishes for politicians and administrations: a large majority of 85% would like to see more comprehensible data protection regulations, and just as many would like to see a reduction in the bureaucratic burden of data protection incidents. This is followed by the promotion of a GDPR reform at European level (79%), better coordination of data protection and other regulations such as laws and ordinances (69%) and better support from data protection authorities (62%). 53 percent want more differentiated data protection requirements according to company size – currently 62 percent of companies say that data protection is often difficult to implement for smaller companies
– – – – – –
Further links
👉 www.bitkom.org
Photo: pixabay
