“Small and medium-sized companies are disproportionately burdened by legal requirements and thus by bureaucracy,” says Iris Plöger, member of the executive board of the Federal Association of German Industry (BDI), soberly. “Understanding the complex regulations alone often costs resources that are lacking in the actual core business.”
Reinhold von Eben-Worlée can only agree with this. “This mania for rules is particularly a burden for German medium-sized companies, which, unlike the large corporations with their legal departments, have to shoulder disproportionately more in addition to the already heavy bureaucratic hurdles,” says the President of the Association of Family Businesses.
The legal aspect should not be underestimated. In case of doubt, violations of the GDPR can result in payments of up to 20 million euros or up to four percent of the annual turnover achieved worldwide. This increases the pressure on companies to pay close attention to compliance with the requirements when processing personal data.
Top jobs of the day
Find the best jobs now and
be notified by email.
For medium-sized companies in particular, data protection creates additional bureaucratic effort that many people find difficult to cope with. An overview of the biggest challenges:
1. Expensive advice
As a result of the strict regulations, companies have to revise their data protection declarations. That alone causes immense effort, as projections by the German Lawyers’ Association (DAV) show.
In preparation for the GDPR, companies in Germany then spent around 375 million euros on lawyers drafting the necessary data protection declarations for them. After the regulation came into force, a similar amount was added.
Even in the future, companies will not be able to meet data protection requirements without external help. The effort remains high – and the trend is increasing, says Rebekka Weiß, head of the Trust and Security department at the Bitkom industry association.
This is also shown by a representative survey by the association among companies with 20 or more employees in Germany. According to this, 42 percent of the companies stated that they have had more work since the introduction of the GDPR – and that this will continue in the future. Only 19 percent expected their increased effort to slowly decrease again.
2. No difference between large and small companies
The data protection rules apply to all companies operating in the EU – regardless of the size of the company. “Cyclists now need a car driver’s license with which they can also fly planes”, said the Austrian data protection expert Max Schrems once the problem for small businesses in a nutshell.
Entrepreneurs feel the effects every day. “Even the smallest companies have to document all data processing, from the first customer contact to the use of the office software, in writing in the same way as multinational corporations,” complains the Central Association of German Crafts (ZDH).
3. Excessive information requirements
Companies process customer data on a daily basis. This means that comprehensive information obligations apply to them, which can generate a great deal of bureaucracy. “Among other things, information must be provided about the legal basis, deletion periods, and rights of rectification and complaint,” says the trade association, describing the situation. The effort involved is too high because it is “superfluous”.
The association points out that customers practically did not assert their complaint, correction or deletion claims against, for example, a roofer, a painter and varnisher or a butcher.
This was no different even before the strict rules came into force. The association cites “low-risk data processing” in craft businesses as one of the reasons. That is why it is “difficult to understand” that the current data protection policy has now been “drawn” so far.
In this context, the Federal Association of German Employers’ Associations (BDA) complains that there has been a sharp rise in bureaucracy for companies, which is disproportionate to the benefits and protection.
It is true that the information obligations under data protection law can be fulfilled electronically, and consent is finally possible electronically. “The sticking points, however, are, among other things, the employer’s obligation to provide evidence, the creation of a processing directory and the data protection impact assessment.”
4. Hardly realizable information claims
The right to information plays a central role within the General Data Protection Regulation. How far this right extends is often the subject of legal disputes. “Some courts believe that you have to hand over every single email and every file with data of a claimant,” says data protection attorney Tim Wybitul. “This view can hardly be implemented in practice and its implementation would be enormously expensive,” says the partner at the law firm Latham & Watkins. “That’s why we often go to court for our clients in such cases.”
In labor disputes, the right to information can become a real burden for companies. In the event of termination, this right is sometimes used to increase the severance payment, explains Gerd Kaindl from the business law firm Beiten Burkhardt. “This can go so far that employees request copies of all personal data, for example in all servers, databases, web applications, e-mail inboxes, directory structures, storage media, smartphones, notebooks and various other end devices of the employer, including superiors and colleagues . “
5. Different interpretations of the regulations
The fact that in Germany they have to deal with different interpretations of data protection supervisory authorities causes uncertainty for many companies. “Each federal state has its own data protection officer, and the law is interpreted differently in the federal states,” complains Eben-Worlée. For a company it is more than cumbersome to act with data nationwide. “The consequences are high costs, legal uncertainty and, in the worst case, the waiver of data processing.”
Plöger from the BDI sees this as a “massive problem” for companies. “Despite the considerable time and money invested in compliance with data protection requirements, users often remain uncertain whether they are on the safer side in terms of data protection law.”
This particularly affects companies with operating locations in several federal states, the employers’ association BDA warns. A different application of data protection law between the countries makes implementation in practice more difficult.
6. Data protection bureaucracy as a business risk
The GDPR not only causes effort, it also represents a business risk for many companies. In a Bitkom survey, three quarters of 502 companies with 20 or more employees stated that innovation projects had failed due to specific data protection requirements. And in nine out of ten companies, projects have been stopped due to ambiguities in dealing with the GDPR.
Eben-Worlée is not surprised by the results. “The corona crisis at the latest made it clear that the overregulation by the GDPR not only massively inhibits research, for example in the medical field, but also represents a huge brake on companies,” he says. And he warns: “We cannot win the innovation race with the USA and China like this.”
Conclusion
Eben-Worlée sees an urgent need for action. The EU data protection is not up to date and thus prevents technological innovations. The set of rules must become “more efficient and practicable” so that it can be expanded into a locational advantage for existing and future digital business models. “We emphatically expect a reform of data protection from the next federal government,” emphasizes Eben-Worlée. Data protection rules must be “comprehensible, fair and proportionate for all market participants equally”.
The industry association BDI calls for an end to the inconsistent interpretation and enforcement of data protection rules by the supervisory authorities. “These could mainly be adequately addressed through homogeneous guidelines, orientation aids or codes of conduct,” believes BDI expert Plöger.
The cost of red tape
The craft association ZDH demands that small businesses be exempted from disproportionate, non-relevant and impractical regulations. “Craft businesses in particular only process the data of their customers and employees and therefore do not pose a significant risk to data protection.” For these and comparable companies, the documentation requirements should therefore be dropped.
The data protection attorney Wybitul fears, however, that changes to the existing rules will be difficult to enforce. The GDPR was the result of a compromise after years of negotiations at EU level. “I don’t think there will be any new negotiations about adjustments in the foreseeable future.”
More: Bitkom President warns: The lack of a data protection agreement with the USA “is massively damaging the German economy”.