GDPR in customer management

An interim assessment of the EU GDPR

How are companies and organizations coping with the EU General Data Protection Regulation? The EU GDPR has been in force in all EU member states since May 2018. It was clear from the outset that the new regulations would pose a challenge for some companies and organizations.

After almost seven years, not all companies have fully implemented the requirements. In 2022, according to a survey by Statista on the status of GDPR implementation in Germany, 22% of the companies surveyed have still not fully implemented the GDPR and 33% have only partially implemented it.

Objectives and content of the General Data Protection Regulation

The aim of the GDPR is to strengthen the fundamental freedoms and rights of natural persons and the protection of personal data through a uniform data protection standard in the EU. It comprises 99 articles, which are explained in detail in 173 recitals. This includes, among other things:

• Principles and lawfulness of data processing
• the tasks of data protection officers
• the processing of rights of access and information
• the security of data processing
• keeping a register of processing activities
• the entire area of data security.

Conversion to GDPR hindered by effort

The complexity of the General Data Protection Regulation was intimidating right from the start. Especially small and medium-sized companies and organizations. The results of a study conducted by the digital association Bitkom in September 2018, four months after the deadline, already indicated this. Many companies had not yet reacted sufficiently to the entry into force of the new regulation.

Only 24% of the more than 500 companies surveyed in Germany stated that they had fully completed the changeover. 78% complained that the EU GDPR had increased their workload and 96% already called for improvements*.

A lack of proportionality is forcing small companies into digital extinction

Bitkom President Achim Berg made similar comments in May. He criticized the fact that member states, data protection authorities and companies were still interpreting the data protection regulations differently. It was also problematic that no distinction was made between global corporations and small and medium-sized enterprises. This puts the smaller ones at a disadvantage.

According to Berg, more "day-to-day assistance" needs to be provided. Three out of four companies already see the EU General Data Protection Regulation as the biggest hurdle when using new technologies.** According to a survey conducted by Stuttgart Media University, small companies and organizations (e.g. associations) see themselves taking drastic measures out of ignorance. For fear of violating regulations, they restrict their digital offerings or even abandon them altogether.***

Too little knowledge of regulations and penalties in companies

Other studies on the topic confirm Bitkom's findings. At the beginning of 2019, around a third of the companies surveyed had not even started the transition. Some others were unsure whether they would be GDPR-compliant by the end of 2019. It was also problematic that the IT systems of companies undergoing the changeover only met GDPR compliance to an inadequate extent. Experts attribute the problems with the changeover to a lack of knowledge. In some cases, it is also due to an underestimation of the importance of the changeover within the company.

For example, a study by software manufacturer TeamDrive found that most companies placed more emphasis on protecting their own IT infrastructure from hacker attacks, for example. But less on compliance with the EU GDPR.**** This may also be due to a lack of awareness of the possible penalties.

Severe penalties for violating the GDPR

In fact, companies should not take the requirements of the General Data Protection Regulation lightly. This is because the potential fines for non-compliance are quite severe. The requirement is that fines are not only effective and proportionate in each individual case, but also dissuasive. With a sanction framework of up to 20 million euros or 4% of global annual turnover for particularly serious violations, this should probably be the case.*****

In Germany, only 81 fines totaling €485,490 had been imposed by July 2019. However, others have been hit harder by the EU regulations. For example, the airline British Airways was fined 229 million US dollars. The hotel group Marriot Hotel had to pay a fine of 123 million US dollars.******

GDPR does not only cause problems

Despite the negative aspects, there have also been some positive results, according to Achim Berg. For example, the EU regulation has an "international impact", which means that global corporations and important trading partners are taking their lead from it.** Fundamental awareness of data protection has also increased. This not only means more protection of personal rights. It also results in a better balance in competition within Europe, but also worldwide.

Professionals provide relief in the jungle of paragraphs

Many companies consider the EU General Data Protection Regulation to be too complex and fear high costs. Such as those that may result from non-functional IT systems and major changes in data management. All as a result of a comprehensive changeover to legally compliant data processing. All of this is understandable. Nevertheless, in this case, a blind eye is not a solution. The fines speak for themselves.

Instead, studies show that it makes sense to call in external help, contrary to the previously widespread patterns of action by companies. IT service providers and legal advisors have specialized in this. They guide companies and organizations through the maze and, according to surveys, do a pretty good job of it.* Bitkom: Hardly any progress in implementing the General Data Protection Regulation
**Bitkom draws a mixed annual balance on the GDPR
*** Stuttgart Media University:GDPR study 2019
**** Teamdrive blog
***** GDPR law:fines and penalties
******* IT-Daily:5 tips against GDPR fines