Based on a current data collection from our company index on April 30, 2018, only 10,775 companies from Germany have modified their data protection declaration in response to the new General Data Protection Regulation (GDPR). The evaluation indicates that micro-enterprises in particular are struggling to implement the more extensive requirements. Companies with business models in which data and data exchange play a critical role take advantage of the opportunity to proactively adapt their data protection.
About Implisense: The Berlin-based start-up Implisense is one of Germany’s leading providers in the field of B2B lead generation. Our text mining procedures analyze online content for all companies listed in the commercial register and located in Germany. The data obtained are assigned to the companies as structured characteristics and thus enable to identify, evaluate and observe potential business partners, customers or competitors from a new perspective.
The General Data Protection Regulation is approaching and putting pressure on many companies. Serious penalties linked to company turnover are imminent. At the same time, the new requirements, for example in the areas of documentation, data security and transparency, should not be underestimated. It is not uncommon for managing directors, authorised signatories or data protection officers to sit in front of never-ending checklists, create biblically-sized documentations, and finally make a revised data protection declaration of often far more than 10 pages available.
After all, the fair use of personal data by the private sector is an issue that society and legislation must constantly keep up with in times of drastically developing information technologies.
Against this background, Implisense has investigated how many companies are highly likely to have already addressed this issue and updated their data protection agreements. For this purpose, we have calculated the distribution of relevant signal words – such as the direct reference to the now applicable European Directive, synonyms (e.g. GDPR, General Data Protection Regulation and the German term DSGVO), and typical formulations – on company websites. The occurrence of the indications was then faceted with a view to other company characteristics, such as industry affiliation and size, in order to identify the associated characteristics.
Only one of 50 companies has adapted the data protection declaration
Even if the possible additional costs of implementing the new regulation are taken into account, the result is surprisingly clear. Our analysis suggests that only 10,775 companies have references to an adapted data protection declaration. This is all the more remarkable with a total of approximately 593,337 active companies registered in the commercial register and with sufficient data. This corresponds to approx. 1.8% or 1 of 50 companies.
A potential aspect can already be anticipated when looking at the distribution of these companies over the size of the company. Smaller companies in particular are struggling with the new requirements. For example, we estimate that micro-enterprises account for around 69% of the total. For companies with GDPR references, this shrinks to 61%. Large enterprises, on the other hand, are almost twice as often represented as in the total volume at 3%. The following graph compares the size distribution of companies in the population (left) with the estimated distribution of companies with updated data protection declaration (right).
The potential link between company size and data protection update suggests that certain industries and business models could also be more strongly associated with it. The graph below shows industries that are disproportionately frequently represented in the hits (top 20 in order; WZ 2008) and their absolute number of hits.
The IT sector, for example, is most over-represented (J62). With 2,732 hits, these also account for the bulk of companies with an updated data protection declaration. Other sectors with data- and communication-intensive business models dominate the list, e.g. IT service providers (J63), the retail sector (G46, G47), lawyers (M69), financial service providers (K64) and consulting firms (M70). So if companies have updated their data protection, it is probably only because an extreme amount of data is generated on the basis of their business model. Slightly unexpectedly, the crafts (F43), electrical engineering (C26) and metal production (C25), as well as the education sector (P85) are to be found in it.
Exemplary hits on companies with updated data protection declaration from a greatly simplified analysis can be viewed directly on our platform Companies and Markets:
The lists of example companies for example quickly show that companies from the education sector often offer training measures in the field of DGPR and are therefore assigned to this topic.
For further exploration of these sub-segments, we invite you to test Implisense Pro free of charge. The filter and search criteria used for the analysis, such as segmentation by size, as well as the entire hit lists can be viewed and further narrowed down using additional criteria, e.g. region. Test the functionality here.
Our small analysis to identify companies that have already dealt with the GDPR is based on probabilistic methods and is therefore not necessarily representative. It covers companies that are only highly likely to have already done their homework on the General Data Protection Regulation.
It can also be further refined. As the example of training providers in the field of GDPR shows, e.g. by excluding certain sectors from the analysis. Finally, it does not necessarily state that existing data protection policies at companies that were not in the hit list are not already professionally designed and may only need to be formally adapted. In our opinion, the effects of these restrictions cannot call into question the basic findings of the evaluation.
Only a fraction of companies in Germany are finally prepared for the General Data Protection Regulation a few weeks before the implementation deadline expires. There is evidence that micro-enterprises in particular find it more difficult to ensure implementation. If so, then companies with particularly data-intensive and communication-intensive business models tend to implement the new data protection regulations. The question is, what business models in the age of digitization can still afford not to work with data to an appropriate extent?
What is your company’s position regarding the implementation of the GDPR? How many of your competitors already have visible indications of the implementation of the new amendment on your website? Our freely-searchable platform Companies and Markets is available here to help you assess these further questions.