3 years of GDPR: Further ambiguity in companies

Sicherheit (Pexels, allgemeine Nutzung)[German]Three years ago, on May 25, 2018, the General Data Protection Regulation (GDPR) came into force. This meant enormous changes for many companies with regard to the storage and processing of data – although the GDPR had not introduced anything new. But now, severe penalties loom for companies that fall victim to a data protection incident. To mark this anniversary, UK market research firm Opinion Matters conducted a survey of 1,276 business decision-makers on behalf of CrowdStrike to gauge current perceptions of the regulations within companies.


The central finding of the survey is that there is still a lot of uncertainty about fundamental elements of the GDPR in German companies, even three years after it came into force. The key findings at a glance:

  • 41% of German participants do not know the timeframe within which they must report data protection breaches to the relevant authorities, and 47.5% incorrectly estimate the timeframe.
  • The impending penalties for GDPR violations are correctly quantified by only 9% of respondents in Germany, and 50% said they did not know the amount of possible penalties at all.
  • 45% of German business owners said that their company has not benefited from the steps implemented in the wake of the GDPR.
  • 24.5% of German respondents said that their company had already been the victim of a cyberattack.
  • Nevertheless, 53.5% of respondents in Germany consider their company to be prepared in such an event.

""The GDPR came into force three years ago by now. Against this backdrop, it is all the more surprising that there is apparently still uncertainty in many German companies about the deadlines within which data protection breaches must be reported or the fines that may be imposed for breaches of the GDPR," said Drew Bagley, Vice President and Counsel of Privacy and Cyber Policy at CrowdStrike. "According to our survey, many companies seem to take the threat of cyber attackers lightly, not having taken precautions in case of an attack. They don't even have to be the actual target of an attack. As WannaCry or NotPetya have shown, collateral damage can also reach unimaginable heights."

Other key findings of the CrowdStrike survey on the GDPR:

  • 27% of the German companies surveyed have not taken precautions in the event of a cyberattack. This puts Germany well above the international average – 15.9% of respondents gave this answer.
  • Fittingly, a total of 47.5% of respondents in Germany said that they tended not to see their company as a target of cyberattackers, or not at all. On average internationally, a total of only 30.33% of respondents shared this view about their company.
  • 71% of respondents in Germany stated that their company had not yet been the victim of a cyberattack. This puts Germany well above the international average of 53.8% of respondents.
  • Only 82% of respondents in Germany are certain that the GDPR will continue to apply after Brexit. This view is shared by only 75.7% of respondents on average internationally.

The survey was conducted by Opinion Matters on behalf of CrowdStrike. To determine the results, 1,276 business decision-makers in the EU (Germany, France, Italy, Spain), UK and the USA were surveyed between April 30 and May 10, 2021. The proportion of respondents in Germany is 200. Opinion Matters follows the rules of the Market Research Society and employs members of the Society. The Market Research Society operates on the basis of the ESOMAR principles.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *