Seven months after its introduction, the General Data Protection Regulation still poses challenges for many companies in Germany. This was the result of a study (Called the "DSGVO Index" in German) conducted by analyst firm techconsult in November 2018 with the support of Microsoft, Tarox, Avedos, SEP and QSC, covering all industries and sizes. As part of the study, 259 German companies were asked about their experiences with the DSGVO.
The primary aim of the study was to determine whether the GDPR had been implemented:
- to what extent the GDPR has already been implemented in German companies,
- how much time each company needs to fully align its processes with the General Data Protection Regulation,
- the extent to which the management acts as a driving force in the implementation of the GDPR, and
- the extent to which employees have been sensitised to the GDPR guidelines.
Degree of implementation of the GDPR
Only 43% of companies believe that their processes comply with the guidelines of the General Data Protection Regulation. On the other hand, 39% of those surveyed state that they are currently still in the process of implementing the GDPR in their company. 10% of the companies have already drawn up plans to adapt their processes, while a further 8% have neither started planning nor implementing the General Data Protection Regulation.
Duration of implementation of the GDPR
For many companies, the two-year transposition period granted before the General Data Protection Regulation came into effect was not sufficient. But when can German companies be expected to comply with the GDPR?
17% of the companies state that they have completed the necessary adjustments relevant to data protection within the next three months. 19% of the respondents estimate that this process will take another three to six months, while 15% of the companies even estimate six to twelve months. In addition, 16% of the respondents expect that they will need at least another one or even two years before their company can be considered GDPR-compliant.
To what extent is management driving the implementation of the GDPR?
As the driving force behind the adaptation process and the primary point of contact vis-à-vis the supervisory authorities, management plays a decisive role in the implementation of the GDPR.
70% of those responsible are of the opinion that the management takes the GDPR seriously. However, 25% of those surveyed believe that the management only pays partial attention to the basic data protection regulation, while 5% state that the management is generally not interested in the GDPR.
Degree of employee awareness of the GDPR
Only 42% of the respondents were sufficiently sensitised and trained with regard to the GDPR-compliant handling of data. 26% of the study participants, on the other hand, pointed out that only a portion of the employees had received appropriate training. Training is planned for 7% of the respondents, while 26% of the respondents were neither trained nor sensitised with regard to data protection-compliant processing.
You can download the study in German from www.dsgvo-index.de.