Economy complains about expensive proliferation of data protection regulations

There was a lot of praise for the fifth anniversary of the General Data Protection Regulation (GDPR) at the end of May: It was important to standardize the processing of personal data across the EU, according to data protection officials and politicians. Companies would benefit from the harmonized regulation. The set of rules is considered an “export hit” for other countries outside the EU.

In most cases, data protection violations make the headlines, for which companies have to pay high fines. According to the international law firm CMS, the competent authorities in Europe have imposed fines totaling almost four billion euros in more than 1,600 cases over the past five years.

The fact that European companies have to comply with the GDPR regulations every day, despite major scandals, quickly fades into the background with such reports. “Small and medium-sized companies in particular complain about the bureaucratic burden of the GDPR,” says the Association of Data Protection Officers in Germany (BvD).

Great caution out of uncertainty

Christian Rammer, project manager in the research area Innovation Economics at the Leibniz Center for European Economic Research (ZEW), explains “that the GDPR has made many processes in which personal data is created or used more complicated”. This may be due to a particularly high level of caution on this subject. “When in doubt, many data protection officers are in favor of a more restrictive solution for handling data, even if this is not necessarily appropriate due to the GDPR.”

Often, however, there are no uniform or clear guidelines at all, as the Centers for European Policy Network (CEP) and Prognos AG have found out on behalf of the Foundation for Family Businesses. Specifically, the administrative effort and financial burden was examined for just two of the existing GDPR regulations – which alone led to around 200 pages of problem analysis.

On the one hand, the researchers looked at the fact that every company must keep a “record of processing activities”. The purpose of the data processing, the type of data, the transfer to third parties or the deletion periods should be listed here.

More on the subject of bureaucracy:

The problem: In the GDPR, the term “processing activity” is not defined at all. The result: the Austrian and Italian data protection authorities make no statements at all. In Germany, on the other hand, small companies can evaluate their entire personnel administration as one process. Medium-sized companies need to differentiate more, for example in recruiting, hiring or people management.

In large companies there can then be hundreds of “processing activities” that need to be accounted for in the directory, including customer data, creditworthiness data or payment data. The GDPR does not provide for any reference to the size of the company.

18 different authorities in Germany alone

In addition, there are a total of 18 different data protection authorities in Germany due to federalism at federal and state level. The respective federal states sometimes interpret the rules differently. As a result, the directory leads to “considerable annual expenses” that are perceived as a “significant burden” by the economy, according to the study.

Second, the researchers examined the requirement for companies to report “personal data breaches.” The GDPR is also implemented very differently on this point: In Austria, a data protection violation can only be reported by post or e-mail. The other countries offer online forms.

According to the study, companies in France have a particularly difficult time: They cannot save entries in the notification procedure. This means that every correction leads to restarting the procedure. The companies surveyed therefore want standardized, time-saving online solutions for the entire EU.

Policy at odds on possible changes

The researchers demand that the GDPR be supplemented by comments so that the terms used are clearly defined: “Undefined legal terms create uncertainty, additional effort and consulting costs.” In addition, the data protection authorities would have to advise better or at all.

The economic policy spokesman for the FDP parliamentary group, Reinhard Houben, even demands that the authorities provide inquiring companies with legally binding information on the implementation of data protection in the future. In addition, the GDPR evaluation planned for 2024 must deal with the question “to what extent the requirements for small and medium-sized companies can be reduced,” Houben told the Handelsblatt. “Large companies like Google or Volkswagen have completely different capacities than small and medium-sized companies.”

The SPD economic politician Sebastian Roloff believes that a “practical fine-tuning” based on the GDPR review is possible in order to reduce the bureaucratic burden on companies. However, the basic digital rights of citizens are valuable goods. “We can therefore explicitly not join undifferentiated demands for a drastic defusing of the GDPR,” Roloff told the Handelsblatt.

More burdens to come

The SPD politician initially relies on the greatest possible harmonization within Germany: “The legal uncertainty in the application of the GDPR associated with small states is cost-intensive for companies and urgently needs to be avoided.”

However, according to the Bitkom digital association, the burdens are likely to increase: “Since the introduction of the GDPR, the burden of reporting obligations and other bureaucratic requirements has been and still is high for companies,” said Rebekka Weiß, Head of Trust and Security. For example, the Data Act, the AI ​​Act on Artificial Intelligence and the IT Security Act 2.0 would now introduce additional documentation and transparency obligations. In addition, there would be the permanently high costs for companies that carry out international data transfers.

More: The ABC of bureaucracy madness – and what helps against it