{"id":8599,"date":"2026-06-26T07:30:00","date_gmt":"2026-06-26T07:30:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8599"},"modified":"2026-06-26T07:30:00","modified_gmt":"2026-06-26T07:30:00","slug":"gdpr-at-10-landmark-data-protections-increasing-business-burden","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8599","title":{"rendered":"GDPR at 10: Landmark data protections, increasing business burden"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Ten years have passed since the General Data Protection Regulation (GDPR)<\/a> came into force, and the results are mixed. While data protection has become more firmly established in European companies \u2014 and beyond \u2014 than ever before, the business world remains critical of the regulation due to increasing bureaucracy, legal uncertainty, and competitive disadvantages.<\/p>\n

From a data protection perspective, this is\u00a0a success story.\u00a0According to a 2018 Bitkom study<\/a>, shortly before GDPR came into effect that year, only 7% of German companies had fully or largely implemented the requirements. Six years later, 71% of German companies said they had done so.<\/p>\n

Furthermore, GDPR has significantly increased awareness of the protection of personal data \u2014 both among companies and consumers. Customers are paying closer attention to transparency, consent, and data security. For many companies, data protection has now become a competitive factor in building customer trust.<\/p>\n

At the same time, record fines against data giants such as Meta, TikTok, and Uber<\/a> show that the GDPR is serious business, with the total amount of publicly known GDPR fines having exceeded \u20ac6 billion for the first time in March 2026. Still, just 60% of fines have been paid to date<\/a>, with other fines having been annulled or remaining under appeal.<\/p>\n

Also,\u00a0according to law firm CMS, there has been a clear shift in focus for GDPR enforcement: Supervisory authorities are increasingly concentrating on practical compliance issues and less on isolated, high-profile cases. What began with landmark proceedings and record fines has now evolved into a routine, operational review of companies\u2019 day-to-day data protection practices.<\/p>\n

Companies complain of increasing burden<\/h2>\n

At the same time, dissatisfaction within the business community is increasing. What was originally intended to provide greater legal certainty and uniform rules across Europe is now perceived by many companies as a constant burden.<\/p>\n

In a Bitkom survey from 2025, 81% of companies surveyed stated that the GDPR was making their business processes more complicated. In 2016, only 25% held this view. By 2025, 97% rated the effort required\u00a0as high, with 44% rating it as very high.<\/p>\n

There are many reasons for this discontent. Four out of five companies surveyed (82%) by Bitkom cited uncertainty regarding the precise data protection regulations as a challenge in 2025. At the same time, 86% believe that implementation is never truly complete because companies must continuously react to technical and legal developments. Data protection is thus perceived as a particularly challenging, ongoing compliance task.<\/p>\n

AI: GDPR\u2019s new test<\/h2>\n

Data-driven projects are particularly affected. In 2025, 59% of study participants reported that the development of data pools had failed or not even been initiated due to data protection regulations. The figures remain high for data analysis tools, AI applications, and the digitization of business processes as well. Data protection regulations are thus perceived as a hurdle primarily where \u2014 as is particularly the case with AI \u2014 innovations depend on large volumes of data.<\/p>\n

The result: According to Bitkom, 59% of companies see European data protection as an advantage for AI development in Germany and Europe compared to other countries. In practice, however, they experience the opposite. For example, in 2025, 69% of respondents stated that data protection makes it difficult to train AI models with sufficient data.<\/p>\n

\u201cThe reality is: AI is not being developed in Europe because of our data protection practices, but the models are still being used here,\u201d commented Bitkom President Ralf Wintergerst on the findings. \u201cThis means nothing is gained for the protection of European citizens\u2019 data, but much is lost for Europe as a business location.\u201d<\/p>\n

Bitkom is therefore calling for a reform that strengthens data protection where real risks to people arise \u2014 and relieves companies of the burden where formal obligations offer no additional protection. Specifically, this means a consistent risk-oriented approach to the GDPR and a unified understanding that the training and operation of AI systems must also be possible in Europe, says Wintergerst.<\/p>\n

Whether the industry association\u2019s demand for a relaxation of data protection standards in favor of technological competitiveness is also in the interest of consumers is another matter. What is certain is that the GDPR has not lost its relevance even 10 years after its entry into force (or eight years since its application).<\/p>\n

Or, as lawyer\u00a0Anna Lena F\u00fcllsack<\/a>\u00a0from CMS puts it: \u201cThe enforcement of the GDPR has outgrown its infancy and is now an integral part of the regular legal landscape throughout Europe. For companies, it will remain a key strategic issue in the coming years.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Ten years have passed since the General Data Protection Regulation (GDPR) came into force, and the results are mixed. While data protection has become more firmly established in European companies \u2014 and beyond \u2014 than ever before, the business world remains critical of the regulation due to increasing bureaucracy, legal uncertainty, and competitive disadvantages. From […]<\/p>\n","protected":false},"author":0,"featured_media":8600,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8599","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8599"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8599"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8599\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8600"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8599"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8599"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8599"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}