The GDPR has been in force since May 2018, and this year it will be exactly six years. The non-profit organization NOYB (European Center for Digital Rights based in Vienna) has therefore decided to conduct extensive research on the GDPR in November 2023. The research focused primarily on compliance with the regulation in companies, its acceptance, and the implementation of necessary changes. Respondents (mainly GDPR officers or lawyers) were asked about their practical experience in a questionnaire, which revealed that almost 75% expect relevant violations in an average company. This figure is certainly alarming, given that the regulation has been in force for six years.
Before conducting the actual research, which took the form of an online questionnaire, it was important to select suitable respondents. The aim was to focus on people who would respond impartially and truthfully so that the results would be truly relevant. A total of 1,048 respondents took part in the survey, mainly responsible persons (both internal and external), consultants, and lawyers specializing in GDPR. Geographically, their distribution is uneven, with 203 respondents from Germany and only 5 from Slovakia. Nevertheless, we can conclude that approximately 30 countries participated. The respondents mainly worked in companies with more than 500 employees, followed by medium-sized and small companies. Large companies are particularly important in the context of the GDPR, as they involve a large number of people and therefore a large amount of data.
The first series of questions in the questionnaire mainly concerned individual articles of the GDPR and their compliance within companies. The biggest problem was the rules on data transfer (Articles 44-50), where 68.5% of companies still have significant problems with compliance. The second biggest problem was documentation and organization (Articles 24-43), where as many as 65.8% of companies had major problems. The basic principles of the GDPR (Articles 5-11) are mastered by 50%, meaning that respondents believe that only half of companies have no problems with this. The information obligation and the rights of data subjects (Articles 13-22) fared very similarly, with around 40% of companies still having problems complying with them.
The internal compliance manager commented on these results by saying that, although he sees improvement in this area, most entrepreneurs perceive the GDPR as something that complicates their business.
Other questions focused mainly on data protection officers (DPOs) and their activities within companies. In principle, their first task is to inform companies about their obligations under the GDPR and to "convince" them to implement the changes. This is where the first problem arises, as not everyone is willing to accept these changes. The biggest problem appears to be in the area of sales and marketing, where as many as 56% of respondents said that it was difficult to convince them of the necessary changes. This is followed by external suppliers outside the EU/EEA at 51.3%. On the other hand, positive results are seen with external suppliers from the EU/EEA, where 38.5% of respondents said that it is relatively easy to convince them and only 22.4% said that it is difficult to convince them. The questions in the questionnaire also concerned the pressure exerted on DPOs to reduce GDPR requirements. The greatest pressure was reported to come from the marketing and sales departments, at 46.9%.
According to DPOs in the Netherlands, managers are primarily focused on making profits and only do the bare minimum to comply with laws and regulations. Marketing and IT departments tend to just do their jobs and avoid advice on personal data protection. Even after five years of GDPR training, they do not understand and do not know how the law works.
A series of questions about internal factors that can influence a company to implement improvement measures yielded very interesting results. Respondents were asked to rate 14 factors. The factors that had the greatest impact were: possible loss of reputation with almost 66%, followed by fines and other penalties with 63.4%, and compliance requirements from other businesses (suppliers or customers) with 57.9%. Surprisingly, the EDPB (European Data Protection Board) guidelines had the lowest impact at 46.8%. They justified this by saying that the guidelines are too general and, in practice, virtually unusable. Other categories with very low impact are court decisions and decisions by authorities in other jurisdictions. Respondents' answers reached around 46% in both categories, which they justified mainly by differences in the interpretation, application, and enforcement of the GDPR between EU Member States.
Looking at the overall status of the GDPR, as many as 74.4% of respondents said that if the DPA (supervisory authority) came to inspect the controller, it would find relevant shortcomings in this area. Only less than 8% think the opposite. These figures are truly alarming.
Six years after the GDPR came into force, awareness and attitudes towards personal data have improved, at least within companies, but the GDPR is still not being consistently complied with. So what should countries focus on, according to the survey? The survey highlighted a number of factors that have a real positive and significant impact. Focus on high fines and the publication of findings and decisions, which are a double-edged sword. On the one hand, such decisions serve as a deterrent to other companies and an opportunity to learn from the specific mistakes of others and avoid them. On the other hand, the company that committed the violation will be associated with the decision, which may damage its reputation, its relationships with customers and partners, and ultimately its business performance.
