The GDPR has been in effect since May 2018, and this year marks exactly six years since its implementation. The non-profit organization NOYB (European Center for Digital Rights, based in Vienna) therefore decided to conduct extensive research on the GDPR as early as November 2023. The research focused primarily on compliance with the regulation in companies, its adoption, and the implementation of necessary changes. Using a questionnaire, they asked respondents (primarily those responsible for GDPR compliance or lawyers in the field) about their practical experiences; it turned out that nearly 75% expect relevant violations in an average company. This figure is certainly alarming, given that the regulation has been in effect for 6 years.
Before conducting the research itself, which took the form of an online survey, it was important to select suitable respondents. The aim was to focus on individuals who would respond impartially and truthfully, so that the results would be truly relevant. A total of 1,048 respondents participated in the survey, primarily data protection officers (both internal and external), consultants, and lawyers specializing in the GDPR. Geographically, their distribution is uneven; as many as 203 people responded from Germany, while Slovakia was represented by only 5. Nevertheless, we can state that approximately 30 countries participated. Respondents primarily worked in companies with over 500 employees, followed by medium-sized and small businesses. It is precisely large companies that are of great significance under the GDPR, as they involve a large number of individuals and thus a large volume of data.
The first set of questions in the survey focused primarily on individual articles of the GDPR and their compliance within companies. The biggest problem turned out to be data transfer rules (Articles 44–50), where 68.5% of companies still face significant compliance challenges. The second-biggest problem was documentation and organization (Articles 24–43), where as many as 65.8% of companies encountered major issues. The core principles of the GDPR (Articles 5–11) are managed by 50% of companies, meaning respondents believe that only half of companies have no issues with this. The duty to provide information and the rights of data subjects (Articles 13–22) fared very similarly, with around 40% of companies still having problems complying with them.
The internal compliance manager commented on these results by stating that, although he sees improvement in this area, most business owners perceive the GDPR as something that complicates their business operations.
Further questions focused primarily on Data Protection Officers (DPOs) and their activities within companies. Essentially, their primary role is to inform companies about their obligations under the GDPR and to “convince” them to implement changes. This is where the first problem arises: not everyone is willing to accept these changes. The biggest problem is evident in the sales and marketing sector, where as many as 56% of respondents stated that it is difficult to convince them of the necessary changes. Next are external suppliers outside the EU/EEA at 51.3%. On the other hand, positive results are seen with external suppliers from the EU/EEA, where 38.5% of respondents stated that it is relatively easy to convince them, and only 22.4% stated that it is difficult to convince them. The questions in the survey also addressed the pressure exerted on DPOs to scale back GDPR requirements. The greatest pressure was reported from the marketing and sales departments, at 46.9%.
According to a DPO from the Netherlands, managers are primarily focused on generating profits and comply only with the bare minimum required to meet laws and regulations. Marketing and IT departments tend to focus solely on doing their jobs and avoid advice regarding personal data protection. Even after 5 years of GDPR training, they do not understand and do not know how the law works.
A series of questions regarding internal factors that can influence a company to implement improvement measures yielded very interesting results. Respondents were asked to rate 14 factors. The factors that had the greatest impact were primarily: potential loss of reputation at nearly 66%, followed by fines and other penalties at 63.4%, and compliance requirements from other businesses (suppliers or customers) at 57.9%. Surprisingly, the guidelines of the EDPB (European Data Protection Board) had the lowest impact, at 46.8%. They justified this by stating that the guidelines are too general and, in practice, are virtually unusable. Other categories with very low impact include court rulings and decisions by authorities in other jurisdictions. Respondents’ answers reached around 46% in both categories, which they attributed primarily to differences in the interpretation, application, and enforcement of the GDPR among EU member states.
If we consider the overall state of the GDPR, as many as 74.4% of respondents answered that if a DPA (data protection authority) were to conduct an inspection at a controller’s premises, it would find relevant violations in this area. Just under 8% believe the opposite. These figures are truly alarming.
Six years after the GDPR came into effect, awareness and attitudes toward personal data have at least improved within society; however, consistent compliance with the GDPR remains elusive. So, according to the research, what should countries focus on? The research highlighted several factors that have a truly positive and significant impact. Focusing on high fines and the publication of findings and decisions, which represent a so-called double-edged sword. On the one hand, such a decision serves as a deterrent for other companies and an opportunity to learn from someone else’s specific mistakes and avoid them. On the other hand, the company that committed the violation will be associated with the decision, which can jeopardize its reputation, and thereby its relationships with customers and partners, and ultimately its business operations.
Source: NOYB, GDPR: a culture of non-compliance?
