© DIHK / Paul Aidan Perry

According to the DIHK survey, the implementation of the GDPR, effective since May 2018, still causes "high to extreme" effort for more than three quarters of businesses.

"This value encompasses all company sizes," says DIHK Chief Legal Officer Stephan Wernicke. Particularly critical: Nearly one-fourth of companies with up to 19 employees classify their GDPR effort as "extreme."

Communicating relief measures for smaller companies

© DIHK

"Specific relief measures are possible here," says Wernicke. "For cases involving only limited data or low to normal risk, extensive documentation requirements are disproportionate. They lead to more effort without providing greater data protection." The law "explicitly allows relief measures for small and medium-sized companies," he clarifies. "However, it should be formulated more clearly so that it can be utilized in practice." 

Businesses continue to assign high priority to data protection. More than 60 percent state that the importance of the topic has increased for them in the past three years, mainly due to the threat of cyberattacks.

Implemented less bureaucratically abroad

In addition to bureaucratic burdens, businesses especially criticize legal uncertainties and their consequences. "Noteworthy: Companies with GDPR experience in other EU member states mostly perceive their local data protection authorities as less strict than the German ones," reports Wernicke, referring to the survey findings. "Around half of the companies also face different legal interpretations from the responsible data protection authorities within Germany."

Such legal uncertainties are hindering digitalization and the transformation of business processes, warns the DIHK Chief Legal Officer. "The harmonization aimed for with the GDPR must be pursued more rigorously."

© DIHK

More than two-thirds (69 percent) of businesses additionally criticize ambiguities and risks regarding legal consequences of potential GDPR violations. "In particular, the questions surrounding potential damages remain unresolved," says Wernicke. "Collective lawsuits under the new Consumer Rights Enforcement Act (VDuG) increase the risk of barely calculable compensation claims."

Missing adequacy decisions hinder data exchange

For international data exchange: In adequacy decisions, the European Commission determines that the level of data protection in a specific third country is comparable to that in the EU, making the processing of personal data generally possible. In other cases, the legal assessment is left to the companies themselves.

However, adequacy decisions exist for only 15 countries worldwide. The lack of recognition for data standards in many regions of the world poses enormous problems for companies in international data transfer. Among businesses that perceive data protection challenges in international data transfer, 88 percent complain that they cannot independently assess the level of data protection in third countries.

This leads to high liability risks and significant competitive disadvantages for German and European companies, potentially resulting in the abandonment of business sectors altogether. "If no adequacy decision exists, at least uniform information on the data protection level of third countries should be provided by the EU Commission or data protection authorities," demands Wernicke.

Inconsistent EU regulations

Finally, the survey also shows that the majority of companies that criticize legal uncertainties notice significant inconsistencies between various EU regulations on the data economy (such as the Data Act) and the GDPR.

"A fundamental prerequisite for value creation in an innovative economy is legal certainty. Therefore, the legal uncertainties in the GDPR must be definitively resolved before additional regulations are introduced based on it. Otherwise, problems will simply be shifted," warns Wernicke. "The right time for this is now. The four-year evaluation of the General Data Protection Regulation, stipulated in the GDPR, is planned for the second quarter of 2024. This opportunity should be used to make the GDPR provisions feasible and legally secure."

The complete survey results are available for download here:

DIHK Survey "Making data protection feasible and legally secure" (only available in German) (PDF, 860 KB)