10 years of data protection balance sheet

Andrea Gillhuber,

GDPR remains a burden factor for companies

Ten years after the GDPR came into force, 71% of companies have largely implemented the requirements, according to Bitkom. At the same time, effort, legal uncertainty and complexity are increasing. Many companies see new problems, particularly when using AI.

© Robert Kneschke/stock.adobe.com

Ten years after the General Data Protection Regulation (GDPR) came into force, data protection is well established in companies, according to a long-term study by the digital association Bitkom. At the same time, many companies are reporting rising costs and increasing uncertainties in practical implementation.

According to the study report "10 years of the GDPR", only 7% of companies had fully or largely implemented the requirements at the start of 2018. In 2024, this figure was 71%. At the same time, more and more companies see the regulation as a burden on business processes: While 25% stated in 2016 that the GDPR made processes more complicated, this figure had already risen to 81% by 2025.

Answers to the question "To what extent do the following statements apply to your company or in your opinion?" © Bitkom

In 2024, 84% of companies reported an increase in data protection costs since the introduction of the regulation. 97% now rate the effort as high, 44% of them as very high. In addition, 72% of the companies surveyed in 2025 stated that Germany overdoes it when it comes to data protection. In 2020, this figure was still at 40%.

For the study, Bitkom Research has conducted an annual representative survey of companies with at least 20 employees in Germany since 2016. Most recently, 603 companies from various sectors took part. Bitkom President Dr. Ralf Wintergerst said: "Data protection is not a chore, it is a central pillar of the digital world."

Advertisement

Companies see additional challenges, particularly when it comes to the use of artificial intelligence. In 2025, 69% of respondents stated that data protection requirements made it difficult to train AI models with sufficient data. In 2023, only 42% stated this. In addition, 63% believe that data protection regulations could force companies that develop AI out of the EU.

Many companies also report problems with data pools for AI and analysis applications. 59% stated that projects had failed or not even been started due to data protection requirements. In 2020, this figure was still 41%.

The study also cites international data transfers, legal uncertainties and the shortage of data protection specialists as further challenges. For example, 61% of companies transfer personal data to the USA. 71% would like to see political solutions for international data transfers. In addition, 82% see unclear data protection regulations as a major problem. 38% complain about a lack of qualified data protection personnel - the highest value in the time series.

The full study report "10 years of GDPR - An interim assessment of data protection in companies" is available for download below.

  • Xing Icon
  • LinkedIn Icon
Advertisement
Advertisement

You might also be interested in

Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Subscribe to our newsletter
Advertisement
Back to home