heise PlusAbo
Anzeige

Bitkom Survey: Large Majority of Companies Demand GDPR Reform

According to a Bitkom survey, 97 percent of companies complain about high data protection efforts. Three-quarters see digitalization being slowed down.

listen Print view
The twelve yellow EU stars on a blue background; in a circle, there is a white padlock and the letters GDPR (General Data Protection Regulation); the blue background is a map of Europe

(Image: peterschreiber.media/Shutterstock.com)

6 min. read
iX Magazin
By
Contents

The German economy is increasing pressure on politicians: 79 percent of companies are calling for a reform of the General Data Protection Regulation (GDPR) at the European level, and 71 percent are in favor of concrete relaxations. This is according to a survey by the industry association Bitkom among 603 companies with 20 or more employees. Particularly alarming: 97 percent of respondents describe the effort involved in implementing the GDPR as very high or rather high.

Furthermore, according to the survey, the burden is continuing to increase: for around two-thirds of companies (69 percent), data protection efforts have increased further in the past year – an increase compared to previous surveys. 72 percent now complain that Germany is overdoing it with data protection, compared to 64 percent a year ago. The criticism becomes even clearer regarding digitalization: 77 percent say that data protection is hindering digitalization in Germany, compared to 70 percent in 2024.

"We should take these assessments by companies seriously and enable data protection that is both effective and practical for the digital society," says Susanne Dehmel, member of the Bitkom executive board. While the EU Commission has initiated important steps with the Digital Omnibus, the structural hurdles remain.

Legal uncertainty prevails in many sectors, for example with consents, which not only need to be documented but also formulated and reviewed in a legally sound manner. "The multitude of complex data protection regulations creates costly and sometimes bureaucratic processes in companies. Clarity and relief are urgently needed here," says Dehmel.

Documentation obligations and legal uncertainty are the biggest burdens

The companies cite the fact that the data protection process is never completed (86 percent) and the uncertainty about the exact requirements of the GDPR (82 percent) as the biggest challenges. In addition, there are recurring checks when introducing new tools (77 percent). From the perspective of 69 percent, the requirements are generally too high, 54 percent criticize the inconsistent interpretation within the EU, and just as many complain about a lack of advice from supervisory authorities.

Particularly problematic: 53 percent face conflicting legal requirements, and 37 percent complain about inconsistent interpretation within Germany. "Companies are experiencing a constant burden from data protection, which ties up scarce resources that are missing elsewhere," explains Dehmel.

Internally, companies are primarily struggling with the time for IT and system changes (50 percent) and the effort to make the complex requirements understandable to employees (46 percent). Furthermore, there is a shortage of skilled workers for data protection implementation (38 percent) and a lack of financial resources (31 percent).

Specific reform demands: Less documentation, more legal certainty

Companies have clear ideas about where improvements are needed. Around three-quarters each want to reduce the documentation obligation for processing activities (76 percent) and abolish the prohibition with a reservation of permission (73 percent). Around 6 out of 10 companies each advocate for simplified use of pseudonymized data (63 percent), mandatory more practical advice from supervisory authorities (62 percent), more legal certainty in balancing interests (61 percent), and fewer information obligations (60 percent).

More than half (54 percent) want to allow more data processing without consent, and 53 percent demand less audit effort for data protection impact assessments. One-third (33 percent) would even abolish the obligation to appoint a data protection officer. "Companies aim to make the GDPR practical after seven years," emphasizes Dehmel. "Data protection must be understandable and applicable."

The demands reflect where the greatest effort currently arises: for 73 percent, it is the documentation obligation for processing activities, and for 69 percent, it is technical implementation. This is followed by clarifying legal requirements (57 percent), coordination with external service providers (54 percent), and fulfilling information obligations (53 percent).

Criticism of supervisory authorities – centralization as a solution?

Supervisory authorities are also facing criticism. Around two-thirds (69 percent) of companies complain that German data protection authorities apply the GDPR too strictly. One consequence: 62 percent of companies overdo it with data protection for fear of violating the GDPR.

The proposed solutions are less clear-cut: by a narrow majority, companies advocate for centralizing data protection supervision at the federal level. 53 percent support the proposal, while 42 percent reject it. "The discussion about reforming data protection supervision in Germany is important," says Dehmel. "We must make the best possible use of the authorities' resources and, in particular, ensure good advice as well as consistent interpretation and enforcement."

Videos by heise

AI development in danger

With regard to Artificial Intelligence, the role of data protection is increasingly viewed critically. 71 percent of companies demand that data protection must be adapted to the AI era. 63 percent even fear that AI development will be driven out of Europe by overly strict data protection regulations. This shows the growing concern that Europe could fall behind in the global AI competition due to regulatory hurdles.

A quarter of companies admit to data protection violations in the past twelve months. 19 percent had one violation, and 6 percent had multiple. 57 percent of the affected companies reported these to the supervisory authority, while 29 percent failed to report them.

Around every second company with data protection violations considers them very serious (16 percent) or rather serious (32 percent). Consequences cited by 93 percent include organizational effort, followed by fines (51 percent) by a significant margin. 18 percent lost customers, and 7 percent had to pay damages. "Violations of data protection are not without consequences, but have repercussions," warns Dehmel.

All information about the survey can be found at Bitkom. Meanwhile, the reform of the GDPR is also drawing sharp criticism – for example, that the EU wants to weaken data protection at the request of the US. Other experts see the digital omnibus as an extremely difficult balancing act between data protection and bureaucracy reduction.

(fo)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten