Even after six years, the European General Data Protection Regulation (GDPR) remains one of the biggest bureaucratic burdens for German businesses. This is the result of a survey conducted by the German Chambers of Commerce and Industry (DIHK) among 4,900 companies from almost all sectors.
The GDPR still harbors significant legal uncertainties
DIHK survey shows: Businesses continue to be heavily burdenedThis figure applies across all company sizes," says DIHK Chief Legal Officer Stephan Wernicke. Particularly critical: Almost one in four businesses with up to 19 employees categorize their GDPR efforts as 'extreme'.
Communicate simplifications for smaller businesses as well
"However, specific simplifications are possible," says Wernicke. "Because in cases involving only a few data points or low to moderate risk, extensive documentation requirements are disproportionate. They entail more effort but not necessarily more data protection." He emphasizes that the law explicitly allows "facilitations for small and medium-sized enterprises." "However," he adds, "this should be formulated more clearly so that it can be effectively utilized in practice."
Businesses continue to attach high importance to data protection. Over 60 percent state that the significance of the issue has increased for them over the past three years, partly due to the threat of cyberattacks.
Implemented with less bureaucracy abroad
In addition to bureaucratic burdens, businesses particularly lament legal uncertainties and their consequences. "Remarkably, companies with GDPR experience in other EU member states generally perceive the data protection authorities there as less strict than the German authorities," reports Wernicke, citing the survey results. "Around half of the companies also face different legal interpretations from the relevant data protection authorities within Germany."
Such legal uncertainties hinder digitalization and the transition of business processes, warns the DIHK Chief Legal Officer. "The harmonization aimed for with the GDPR must therefore be pursued more rigorously."
More than two-thirds (69 percent) of companies also criticize uncertainties and risks regarding the legal consequences of potential violations of the GDPR. "Particularly, questions regarding possible damages are still unresolved," says Wernicke. "Collective actions under the new Consumer Rights Enforcement Act (VDuG) increase the risk of compensation claims, which are hardly calculable."
Lack of adequacy decisions hampers data exchange
For international data exchange, it is essential to note: In adequacy decisions, the European Commission determines that the level of data protection in a specific third country is comparable to that of the EU, making the processing of personal data generally possible. In other cases, the legal assessment lies with the companies themselves.
However, adequacy decisions are only available for 15 countries worldwide. The lack of recognition of data standards in many parts of the world poses enormous challenges for companies engaged in international data transfers. Thus, 88 percent of businesses facing data protection challenges in international data transfer complain that they cannot independently assess the level of data protection in third countries.
This leads to high liability risks and significant competitive disadvantages for German, as well as European, companies, which can even lead to the abandonment of business areas. "If no adequacy decision exists, at least the EU Commission or the data protection authorities should provide uniform information on the level of data protection in third countries," demands Wernicke.
EU regulations not consistent
The survey also shows that the majority of companies, which complain about legal uncertainties, notice significant discrepancies between the various EU regulations on data economy (such as the Data Act) and the GDPR.
"Fundamental precondition for value creation in an innovative economy is legal certainty. Therefore, the legal uncertainties in the GDPR must be cleared up urgently before additional regulations are added. Otherwise, the problems simply shift," warns Wernicke. "The right time for this is now. The GDPR provides for a quadrennial evaluation in the second quarter of 2024. This should be used to make the regulations in the GDPR practical and legally secure."
The complete survey results are available here for download:
"Making data protection practicable and legally certain" (PDF, 771 KB)