paperwork crunch EU data-privacy rules create burden for SMEs

New data-protection laws seem timelier than ever after the Facebook scandal but implementing them is overwhelming all but the biggest players.
Many are in the dark about the new rule.

The European Union’s strict new data-privacy rules go into effect next week, threatening to impose a disproportionately heavy burden on small and medium-sized companies. The new rules require firms to obtain signed consent forms from customers to use their data and to allow them to access and delete data companies hold on them.

The clumsily-named General Data Protection Regulation (GDPR) is a challenge for big companies but often overwhelming for smaller firms, particularly the family-owned Mittlestand firms that are the backbone of the German economy.

“The added costs for paperwork are enormous,” said Thomas Rick, head of the computer services firm Behrens & Schuleit. “Our in-house data protection person is super-overstressed.” The rules are designed to rein in global giants like Facebook and Google, Mr. Rick believes, but are a punch in the gut to smaller companies.

Most companies won’t manage to fully implement the new requirements by the deadline. Achim Berg, Bitkom

Mr. Rick was among the few chief executives who started preparing for the new rules more than a year ago. There was a two-year transition period before the rules became effective, but nonetheless most SMEs are unprepared. Many companies “realized only late in the game how extensive the adjustments are and now have to bring more resources to bear on data protection well beyond the cut-off date,” said Achim Berg, president of the IT industry group Bitkom.

Many of the big family firms will be ready by the deadline, said Brun-Hagen Hennerkes of the Family Firm Foundation. Small and medium-size enterprises have a harder time because they lack the expertise in-house and outside consultants are expensive, he noted. Half the firms won’t even be able to have a full-time person to administer the rules.

None of this fazes Andrea Vosshoff, the government official charged with implementing and enforcing the new rules punctually on May 25 when they take effect. There isn't a grace period, she explained in an interview with Handelsblatt. Penalties for not following the rules can be as high as 4 percent of annual sales. But Ms. Vosshoff said authorities aren't looking to impose huge penalties on day one.

That's good news as most companies won’t manage to fully implement the new requirements by the deadline, Mr. Berg observed. A Bitkom survey of 300 startups found that only 9 percent of these new companies have completed preparations for the new rules.

The rules replace the patchwork of national regulations within the EU, putting all companies on the same footing. But they also apply to companies headquartered outside the EU if they collect private data from EU citizens.

The recent fracas over the use of personal data from Facebook by Cambridge Analytica to manipulate voter opinion makes the new rules look very timely. And despite the burden, it’s worth it, said the government’s Ms. Vosshoff. “A company needs the trust of customers in its products,” she noted. “Especially in the digital age, good data protection creates this trust.”

Dietmar Neuerer covers politics and consumer protection for Handelsblatt in Berlin. Heike Anger covers parliament. Darrell Delamaide adapted this into English for Handelsblatt Global. To contact the authors: [email protected] and [email protected].