One in three companies has not yet dealt with the General Data Protection Regulation

The large majority of companies in Germany might be facing millions in fines within a few months. On May 25, 2018, after a two-year transition period, the provisions of the EU General Data Protection Regulation (GDPR) must be implemented - but only a minority will be able to meet this deadline.

Only 19 per cent of companies that are currently dealing with the GDPR are assuming that they will have implemented the requirements of the Regulation fully at this date. A further 20 per cent expect that they will meet most of the requirements. About more than every second company (55 per cent) states that the implementation will only be partially concluded in eight months.

This is the result of a representative survey among more than 500 companies, which Bitkom presented at its Privacy Conference in Berlin today. "Time is pressing to implement the provisions of the General Data Protection Regulation. Companies that have waited until now will have to deal with the issue as quickly as possible", said Susanne Dehmel, Member of the Executive Board for Law and Security at Bitkom. "People burying their head in the sand will soon be violating the law and risk fines at the expense of their company."

Currently, only 13 per cent of companies have begun or completed first measures to implement the GDPR. Dehmel: "A year ago, the quota was 8 per cent; obviously, not a lot has happened since then." 49 per cent are currently dealing with the topic. One in three companies (33 per cent) stated that they had not yet dealt with the requirements of the Regulation at all. Of the companies which already dealt with the GDPR, about half (47 per cent) stated that all they have done so far amounts to not more than 10 per cent of all the necessary work. Only 3 per cent assume that they have completed more than half of the tasks.

Even basic organizational prerequisites for data protection are often missing in the companies. For example, 42 per cent of the companies state that they do not maintain so-called processing records, which document the internal procedures for the processing of personal data. A year ago, the quota was similarly high at 46 per cent.

Without such a record, the adaptation of one's own procedures to the GDPR´s requirements is difficult. "A list of processing activities is already mandatory under the current legal framework, but in the future it will be needed even more. The new Regulation requires companies to provide proof of compliance with regard to their data processing. Such data protection documentation will play an important role in disputes", said Dehmel.

The survey also shows: In many companies, operations cannot be performed properly without using personal data. One third (32 per cent) uses personal data to improve products and services. And 4 out of 10 companies (42 per cent) even claim that the use of personal data is the basis of their own business model. Dehmel: ´Given the importance of personal data for business operations, it is hard to understand why so many have so far failed to act during the transitional period of the General Data Protection Regulation.´

Companies that have dealt with the GDPR named the difficulty in estimating the implementation costs (52%), legal uncertainty (43%), and lack of guidance for the practical implementation (32%) as the most difficult challenges with regard to the implementation of the GDPR. Accordingly, 28 per cent wish for the EU Commission´s guidance on the interpretation of the Regulation, 27 per cent would like to have practice guidelines, and 16 per cent wish for guidance from the supervisory authorities. "In many respects, the law is vague and the companies are missing guidelines on how to deal with those uncertainties. Concrete specifications would be helpful", says Dehmel. "However, legal uncertainties must not be a reason to sit back and do nothing."

35 per cent of the interviewees expect an additional expenditure for the company because of the GDPR in the future. One in every five companies (20 per cent) even expects a much greater effort. Only 3 per cent expect less effort in the long-term. Nevertheless, confidence and skepticism appear to be balanced regarding overall evaluation of the General Data Protection Regulation.

For example, 6 out of 10 companies (60 per cent) expect the GDPR to lead to greater legal certainty in the long term and almost as many (57 per cent) expect greater consistency of conditions of competition in the EU. 4 out of 10 companies even say that their own business is benefiting from the GDPR (39%) and that the GDPR represents a competitive advantage for European companies (38%).

However, there are also critical evaluations. For instance, 57 per cent fear a rise in legal uncertainty in the short term, 42 per cent believe that business processes will become more complex. More than one in three respondents (36 per cent) also says that the GDPR slows down innovations in Europe, and every fourth (23 per cent) sees a competitive disadvantage for European companies. And 14 per cent even go so far as to say that the General Data Protection Regulation poses a threat to their own business.

As an introduction, Bitkom has published ´Questions and Answers´ (FAQs) on the General Data Protection Regulation which provide an overview of the changes to today's legal situation. In addition, Bitkom has developed four practice guidelines on how companies can implement various obligations of the Regulation, three of which are already available in English:

  • Verarbeitung personenbezogener Daten in Drittländern – Version 1.2/ Auf Basis der EU-Datenschutz-Grundverordnung
  • Risk Assessment & Data Protection Impact Assessment
  • The Processing Records – Records of Processing Activities according to Art. 30 General Data Protection Regulation (GDPR)
  • Template Agreement Annex – Processing of personal data on behalf of a controller in accordance with Article 28 (3) of the EU General Data Protection Regulation (GDPR)

All the guides are available for free download on the Bitkom website.

Methodology: The data is based on a survey conducted by Bitkom Research on behalf of Bitkom. 507 persons in charge of data protection (company data protection officers, managing directors, IT managers) of companies of all industries with at least 20 employees in Germany were interviewed. The survey is representative.

Susanne Dehmel

Mitglied der Geschäftsleitung Recht & Sicherheit
Bitkom e.V.