One in five IT companies have so far ignored the GDPR

In less than a year, companies in Germany and Europe will face fines in the million euros if they fail to implement the General Data Protection Regulation (GDPR). However, one in five IT and digital companies (19 per cent) have not yet dealt with the topic and only one in three (34 per cent) has started to organize or even implement the first measures.

Four out of ten companies (42 per cent) are currently working on the subject, but have not started to implement measures, and 5 per cent did not or could not provide any information. This is a result of a survey carried out by Bitkom among more than 200 IT and digital companies.

The Regulation introduces a large number of new information and documentation obligations that companies have to comply with. There are also completely new legal requirements such as the principle of privacy by design in the product development or data protection impact assessments.

Out of the companies that have already taken the first measures, every third company (31 per cent) has just done a maximum of 20 per cent of its homework. “Time is running for companies. The transition period of two years was intended to give them the necessary time to get started, but this requires active commitment to the subject” says Bitkom‘s Director for Data Protection and Security Susanne Dehmel. “Companies which have so far ignored the GDPR should urgently consider how they can catch up and whether this is still possible without external help.”

To get started, Bitkom has published "Questions and Answers" (FAQs) on the GDPR, which provide a first overview of the changes to today's legal situation. An English version can be downloaded on Bitkom’s website here.

Furthermore, practical guidelines on how to establish and keep records of processing activities, how to carry out risk assessments and data protection impact assessments as well as information on data processing on behalf have been published.

The latter is accompanied by a model contract between controllers and data processors in line with the requirements of the GDPR. These documents will be also translated into English. The German versions are already available on Bitkom’s website as free download:

The GDPR entered into force on 25 May 2016. However, the regulation will only apply after a transition period of two years. This means from 25 May 2018 onwards all companies within the scope of the GDPR have to be compliant and are subject to enforcement by national data protection authorities and courts facing sanction up to 4% of worldwide annual turnover.

The EU General Data Protection Regulation will also be key topic at Bitkom’s International Privacy Conference on 19 September in Berlin. More than 200 privacy experts and decision-makers from international companies, politics and research will come together to discuss practical solutions and the implementation of data protection rules. 

Basis: Survey conducted by Bitkom Research among 228 ICT companies. The questions were: “To what extent has your company already dealt with the implementation of the GDPR? and if you would have to state the progress of your company in the implementation of the GDPR in percent: how far is your company?