How do companies and organizations cope with the EU General Data Protection Regulation (GDPR) in the meantime?
An interim balance after 5 years of EU-DSGVO
The EU GDPR has been effective in all EU member states since May 2018. Right from the start, it was clear that the new regulations would be a challenge for some companies and organizations. After five years, not all companies have fully implemented the requirements. In 2022, according to a survey by Statista on the status of implementation of the GDPR in Germany, 22% of the companies surveyed have still not fully implemented the GDPR and 33% have only partially implemented it.
Aims and contents of the General Data Protection Regulation
The aim of the GDPR is to strengthen the fundamental freedoms and rights of natural persons and the protection of personal data through a uniform data protection standard in the EU. It contains 99 articles, which are fully explained in 173 recitals. This includes, among other things:
- Principles and legalities of data processing
- Tasks of Data Protection Officers
- the processing of information rights
- the security of data processing
- the carrying of a list of processing activities
- the entire area of data security.
Changeover to GDPR hampered by effort
The complexity of the General Data Protection Regulation intimidated from the very beginning. In particular, small and medium-sized enterprises and organizations. The results of a study by the digital association Bitkom in September 2018, four months after the deadline, already indicated this. Many companies had not yet reacted sufficiently to the entry into force of the new regulation.
Only 24 of the more than 500 companies surveyed in Germany said they had completed the changeover completely. 78 complained of higher costs due to the EU GDPR and 96 already called for improvements.*
Lack of proportionality forces the little ones into the digital
Bitkom President Achim Berg made a similar statement in May. He complained that member states, data protection authorities and companies would still interpret the data protection regulations differently. In addition, it is problematic that no distinction is made between global corporations and small and medium-sized enterprises. This disadvantages the smaller ones.
More “everyday assistance” needs to be provided, Berg said. Three out of four companies already see the EU General Data Protection Regulation as the biggest hurdle in the use of new technologies.** According to a survey by the Stuttgart University of Applied Sciences, small businesses and organizations (e.g. associations) are faced with ignorance drastic measures. Fearful of breaking regulations, they restrict or even give up their digital offerings altogether.***
Insufficient knowledge of regulations and penalties in companies
Further studies on the subject confirm the findings of Bitkom. At the beginning of 2019, about a third of the companies surveyed had not even started the changeover. Several others were unsure to be GDPR compliant by the end of 2019. It was also problematic that the IT systems in the conversion of companies in the process of complying with GDPR compliance only to a limited extent. Explanations for the problems of switching are attributed by experts to insufficient knowledge. In part, it is also due to a lack of assessment of the importance of a changeover within companies.
For example, a study by software manufacturer TeamDrive found that most companies were more concerned with protecting their own IT infrastructure from hacker attacks, for example. But less to compliance with the EU GDPR.**** This may also be related to too little knowledge of the possible penalties.
Tough sanctions for GDPR violations
In fact, companies should not take the requirements of the General Data Protection Regulation lightly. Because the possible fines for non-compliance have it all. The requirement is that fines are not only effective and proportionate in each individual case, but also a deterrent. With a penalty framework of up to 20 million Euros or 4 of the worldwide annual turnover for particularly serious violations, this should probably be given.*****
In Germany, only 81 fines totalling €485,490 have been imposed by July 2019. Others, however, have felt the EU regulations more painfully. For example, British Airways has been fined USD 229 million. The Marriot Hotel group had to pay a fine of USD 123 million.******
GDPR not only causes problems
Despite the negative aspects, Achim Berg says, there are also some positive results. For example, the EU regulation has an “international radiance effect”. They have led global corporations and important trading partners to orient themselves on this.** Likewise, the fundamental awareness of data protection has increased. This does not only include greater protection of personal rights. This is also followed by better balance in competition within Europe but also worldwide.
Professionals provide relief in the paragraph jungle
Many companies consider the EU General Data Protection Regulation to be too complex and fear high costs. How they may arise from non-functional IT systems and major changes in data management. All as a result of a comprehensive change to legally compliant data processing. All this is understandable. Nevertheless, in this case, eye-to-eye is not a solution. The fines speak for themselves here.
Instead, studies show that, contrary to the usual patterns of action of companies, it makes sense to use external help. IT service providers and legal advisors specialize in this. They lead companies and organizations through the confusion and do a pretty good job in conducting surveys.* Bitkom: Hardly any progress in the implementation of the General Data Protection Regulation
** Bitkom draws mixed annual balance sheet on GDPR
*** University of Media Stuttgart: GDPR Study 2019
**** TeamDrive Blog
***** GDPR Act: Fines and Penalties
******* IT-Daily: 5 tips against GDPR fines
Your GDPR self-test
Answer 65 questions online and find out in the GDPR self-check where urgent action is needed.
A sophisticated GDPR compliant CRM software
The GEDYS IntraWare also hands you your helping hand. Our CRM software and our CRM app is 100 GDPR compliant and provides the necessary functions for the EU General Data Protection Regulation in terms of
- Right to information
- Right to be forgotten
- Obligation to provide proof
- Data economy
- Right to data transmission
- Right to Restrict processing
- Right to object