German businesses are mounting significant pressure for reform of the European General Data Protection Regulation (GDPR), according to a recent survey by the Bitkom IT industry association. The findings reveal a growing disconnect between the regulation’s intentions and its practical impact, fueled by escalating compliance burdens and a perception that Germany is applying the rules excessively.
The survey, conducted among 603 German companies with over 20 employees, demonstrates a striking consensus on the need for change. A resounding 79% of respondents urge the German government to actively push for a GDPR reform at the European level, with 71% specifically advocating for a loosening of the regulation’s stringent requirements. This sentiment reflects a widespread feeling that current regulations are hindering digitalization and imposing unsustainable operational costs.
The survey highlights a worrying trend: businesses increasingly feel stifled by the GDPR’s complexity. A significant majority (69%) report a continued rise in the compliance effort required over the past year, with 97% characterizing the overall burden as “very high” or “rather high”. Furthermore, 72% believe Germany is overreaching in its application of GDPR principles, a figure that has risen from 64% just a year ago. This excessive enforcement, several companies contend, is actively impeding Germany’s digital transformation, with 77% citing GDPR as a barrier – up from 70% in 2024.
The compliance challenges are multifaceted. Businesses consistently struggle with the feeling that compliance is a never-ending process (86%) and grapple with a lack of clarity regarding specific GDPR provisions (82%). The need for continual re-evaluation whenever new tools are implemented (77%) adds further stress.
Companies are particularly frustrated with what they perceive as an overly stringent interpretation, leading to over-compliance driven by fear of penalties (62%). This fear, coupled with a lack of clear and practical guidance from supervisory authorities (54%), creates significant uncertainty. Furthermore, inconsistencies in interpretation across EU member states and even within Germany are compounding the problem.
Internal challenges are also prominent. Companies lack sufficient financial resources (31%) and qualified personnel (38%) to effectively manage GDPR implementation. Companies also find it difficult to translate complex GDPR requirements into understandable terms for employees (46%) and securing the necessary time for required IT and system changes (50%).
Business leaders are calling for specific policy adjustments, including reducing the documentation requirements for processing activities (76%) and abolishing the “permit-based” obligation (73%). Calls for simplification extend to pseudonymized data usage (63%), mandatory practical advice from regulators (62%), greater legal certainty regarding data balancing (61%) and reducing information obligations (60%). A significant portion also wants to see greater leeway for data processing without explicit consent (54%) and a reduction in the regulatory scrutiny surrounding Data Protection Impact Assessments (53%).
The need for centralized data protection oversight at the federal level is also gaining traction, with 53% advocating for the change, reflecting broader concerns about the inconsistencies and potential for arbitrary enforcement across the country.
Despite efforts, data breaches remain a reality. A quarter of businesses admitted to such incidents over the past year, primarily entailing significant organizational efforts to rectify the situation and often accompanied by financial penalties. The consequences of these breaches are substantial, encompassing organizational overhead, fines, lost customers and reputational damage.