The Comedy of Compliance: Data Protection in Germany
By your favourite mix of deadpan wit and sharp observation, think Jimmy Carr meets honey in a pot with a side of oily Rowan Atkinson.
So, let’s dive into this delightful stew of statistics and bureaucratic bewilderment served up by good ol’ Bitkom! Apparently, German companies are sweating it out over data protection like it’s a sauna session with Boris Johnson and a plate of undercooked sausages. Who knew compliance could feel like running a marathon on a treadmill of legalese?
The Great Struggle of Data Protection
Let’s start with the headlines: 63% of companies have reported that their data protection effort has increased in the last year. Now, if I had a euro for every time an employee lamented the daunting and ever-changing landscape of data protection rules, I’d probably buy my own private island and retire from this madness. Instead, just 4% of firms haven’t felt the pressure. That’s right, the remaining 96% are grappling with enough regulations to make Santa’s naughty and nice list look like a short shopping list! Imagine trying to find a minimalist IKEA desk in a chaotic storage unit!
The Fear of Digital Innovation
In an ironic twist that even Rick Gervais would appreciate, 63% of the German companies have reported that their “innovative projects” were hamstrung by these very regulations. It’s like going to a buffet and being told you can only fill your plate with lettuce. Delicious, right? Meanwhile, 70% are raising the alarm that data protection is throwing a big, hairy spanner in the works of digitalization. And heaven forbid anything gets in the way of school tech! After all, it’s paramount that kids use TikTok responsibly! Can we at least get a “digital playground” before we bury our heads in legislative sand?
GDPR: The Never-Ending Story
Now for the pièce de résistance: the GDPR. Six years in and it’s the gift that just keeps on giving—all in the form of legal confusion. 7 out of 10 companies believe they’ve implemented it, which is like saying 70% of the population thinks they can build a flat-pack wardrobe without reading the instructions. Well, you might end up with an ‘artistic interpretation’ of a closet!
AI: A Double-Edged Sword
Oh, and let’s not skip the irony that almost half of the companies are now daydreaming about using AI to help with data protection! That’s like hiring a cat to guard a fish tank. While 68% realize that AI presents a whole new set of challenges, only 5% are already using it. But hey, why not mix chaos with chaos and see what concoction of mishaps we can achieve next? After all, innovation is the name of the game, or is it bureaucratic roulette?
The Call for Reform
As politicians gear up for election season like kids at Christmas, 91% of companies are craving a consolidation of all these pesky regulations. What do they want? Simplicity and clarity. Imagine asking your mate who’s on his fifth pint to clarify an entire book of rules! Good luck with that! Thankfully, 67% want centralization of supervision—maybe a superhero-esque figure to swoop in and save them from all this data drama.
Data Breaches: Where Laughter Meets Consequences
And what about breaches? 20% of companies have admitted to playing with fire in the past year. Shocking for a nation that delights in following rules! Yet, most consequences seem to be organizational effort, which terribly conflicts with the idea of “I’ll just yell at IT until it’s fixed.”
Before the Curtains Close
So, as the stage is set for the Bitkom Privacy Conference, the question remains: will anything change? It’s looking unlikely unless politicians remember that data protection shouldn’t feel like trying to fit a square peg into a round hole during a blackout. Let’s keep our fingers crossed that next year, we won’t need a map and a guidebook just to understand data regulations! As they say in showbiz, “never work with children or data protection laws!”
So, buckle up, Germany! The performance continues!
Source: Bitkom eV
Photo: Kanika Graphic – stock.adobe.com / AI-Generated
German companies must make even greater efforts to implement data protection. In around two thirds (63 percent) the effort for data protection has increased in the past year, in 36 percent it has remained the same – and has not decreased anywhere. 9 out of 10 companies (94 percent) describe the current data protection effort as high. At the same time, in around two thirds (63 percent) of companies in Germany, innovative projects failed or were not even started in the past twelve months due to data protection regulations. 70 percent warn that data protection is inhibiting digitalization in Germany, 63 percent see this specifically for socially relevant projects such as the use of digital technologies in schools. And 64 percent say: We are exaggerating data protection in Germany. These are the results of a representative survey commissioned by the digital association Bitkom among 605 companies with 20 or more employees in Germany. “The protection of personal data is an integral part of our value system and our democracy in Germany and Europe. However, we have to make adjustments in the implementation and interpretation so that data protection remains practical,” says Susanne Dehmel, member of the Bitkom management. “When it comes to data protection, we urgently need more clarity, traceability and uniformity. That would be a support program for companies that doesn’t require money, just political will.”
GDPR: Implementation is well advanced, but concerns remain
The European General Data Protection Regulation (GDPR) is still causing dissatisfaction in companies after six years. 7 out of 10 companies have now implemented the GDPR completely (23 percent) or largely (48 percent), and another 28 percent have implemented it at least partially. However, it continues to lead to increasing data protection costs for companies. 42 percent of companies have increased their expenditure since the introduction and assume that it will continue to increase; a year ago it was only 33 percent. A further 42 percent have had more effort since the introduction and expect this to remain unchanged (2023: 50 percent). At just 15 percent, the additional effort is noticeably decreasing (2023: 12 percent), only 1 percent did not register any increase in effort at all.
The high effort is also due to the fact that implementation is considered never to be fully completed in 84 percent of companies. 80 percent complain that the rollout of new tools always triggers new data protection checks. And even after six years, three quarters (76 percent) suffer from legal uncertainty regarding the precise requirements of the GDPR. 61 percent criticize the overall too high requirements of the EU rules, 56 percent criticize the inconsistent interpretation within the EU. But there are also challenges in implementing the GDPR within the companies themselves. For 56 percent, the necessary IT and system changes cost a lot of time, and 53 percent find it difficult to make the complex requirements understandable to employees. Around a third each lack money (34 percent) or qualified employees (32 percent).
When assessing the GDPR, critical assessments predominate. For 77 percent, the GDPR makes their own business processes more complicated. 64 percent believe that the data protection authorities in Germany apply the GDPR too strictly. Almost as many (62 percent) also think that German companies are overdoing data protection because they are afraid of violating the GDPR. 53 percent simply consider the GDPR to be a disadvantage for the location, 49 percent see that innovations from other regions cannot be used in the EU due to data protection rules. On the other hand, 70 percent emphasize that the GDPR has improved data security in their own company, while 48 percent see it as creating more uniform conditions of competition within the EU. Two thirds of companies (63 percent) come to the conclusion that the GDPR must be relaxed. “Even after six years, dealing with the GDPR is characterized by legal uncertainty and varied interpretations. “That’s not a good result for a piece of legislation in such a central area,” said Dehmel. “Politicians are required to make further adjustments to the GDPR in terms of its practical suitability.”
Artificial intelligence to help with data protection
Given the high effort involved, almost half of companies (48 percent) are considering using artificial intelligence for data protection. This involves, for example, chatbots for employees to quickly explain data protection issues, or the detection of data protection violations by AI or the automated anonymization or pseudonymization of data. 5 percent are already using such AI applications, 24 percent have already planned to use them. And another 19 percent are still discussing it. On the other hand, AI as a support for data protection is currently not an issue for 46 percent.
At the same time, 68 percent of companies are of the opinion that the use of AI in companies poses completely new challenges for data protection. While 53 percent believe that data protection creates legal certainty in the development of AI applications, 52 percent say that data protection hinders the use of AI when it comes to their own company. 57 percent fear that data protection will restrict the use of AI in the EU, and 52 percent even assume that data protection will drive companies out of the EU that develop AI. One reason for this: For 50 percent, data protection makes it difficult for AI models to be trained with enough data. “Artificial intelligence can make a contribution to solving current social challenges. We must design data protection in such a way that it protects personal data from unauthorized access by AI models, but at the same time promotes the development and use of AI in Germany and Europe,” said Dehmel. “Artificial intelligence needs understandable and manageable rules; we must not repeat the mistakes made in the General Data Protection Regulation in recent years with the AI Act and Data Act.”
A large majority calls for reform of data protection supervision
The various supervisory authorities at national and European level play a special role in data protection. Companies see an urgent and fundamental need for reform here. Only 7 percent are of the opinion that the system of data protection supervision should remain unchanged. But 69 percent want to reform it partially, 21 percent even want to reform it fundamentally. At the top of the reform wish list: Better coordination between authorities (74 percent), recognition of the decisions of other supervisory authorities (72 percent) and a central database for all decisions (70 percent). Two thirds (67 percent) even demand centralization of data protection supervision. “The economy does not want to abolish or weaken data protection, but they want to be able to implement it uniformly together with the supervisory authority,” said Dehmel. Companies also have very practical requests. These include uniform reporting processes for data protection violations (61 percent) and faster processing of inquiries and complaints by the supervisory authority (53 percent).
Data protection violations: Frequently reported, rarely without consequences
Every fifth company (20 percent) admits data protection violations in the past twelve months. 16 percent had one such violation, 4 percent even had several. Two thirds (66 percent) report no known violations, another 14 percent do not want or cannot provide any information. The majority of companies with violations (65 percent) reported them to the supervisory authority. Data protection violations rarely had any consequences for companies. 11 percent describe the consequences as very serious, 32 percent as rather serious. 29 percent consider it not to be serious, 17 percent think it is not serious at all. If you ask companies about the specific consequences of the most serious data protection breach in the past twelve months, almost all of them (94 percent) mention the organizational effort, such as informing customers. This is followed by a fine of 47 percent. 14 percent lost customers and 5 percent had to pay compensation. Another 3 percent complain about damage to their reputation. Only 3 percent of all companies with data protection violations had to suffer no consequences. “Breaches of data protection have consequences, and companies are aware of that,” says Dehmel.
Before the election year: desire for political action
Before the upcoming election year, companies expect three things from the federal government with regard to data protection: the consolidation of the many special and special regulations on data protection and data use (91 percent), more standardized data protection regulations across Europe (87 percent) and the reduction of bureaucratic effort in data protection incidents (79 percent). “We need simplicity and clarity when it comes to data protection. Data protection has a profound impact on companies as well as on society, which is why it must be made understandable and practical,” said Dehmel. 66 percent want to harmonize federal data protection laws, 65 percent want data protection regulations that are easier to understand and 61 percent want a practical reform of the GDPR. Around two thirds (64 percent) would like a political solution for international data transfers and 67 percent would like better access to public sector data for companies.
Bitkom Privacy Conference on October 9th and 10th
What developments can be expected in data protection, but also what effects the Data Act, a possible GDPR enforcement regulation or the AI Act have on it and the use of data will also be the topic of the Bitkom Privacy Conference on October 9th and 10th. In addition to data protection experts from various data protection authorities, global companies, innovative medium-sized companies, startups and representatives from politics, science and practice come together. Participants include Didier Reynders (Commissioner for Justice of the European Union), Dr. Des Hogan (Data Protection Commissioner and Chair of the Irish Data Protection Commission), Emily Hancock (Cloudflare), Sebastian Grantz (Google) and Sarah Johanna Zech (Allianz). Registration for the online event is possible free of charge at www.privacy-conference.com/tickets.
Source: Bitkom eV
