Do you remember the protests against the national census in 1983? Thousands took to the streets and the popular boycott movement led to a review of the census by the Federal Constitutional Court, resulting in the court affirming the right to informational self-determination for the first time.
One in two Mittelstand companies is not prepared for the General Data Protection Regulation
35 years later, another historic date for data protection is upon us: soon the General Data Protection Regulation comes into effect. This regulation will standardise data protection law throughout Europe and is designed to improve consumer protection – at the same time, it poses huge challenges to small and medium-sized companies: most of the Mittelstand are still totally unprepared for it. A Forsa survey commissioned by us shows that one in two small and medium-sized companies (SMEs) is not yet adequately prepared for the GDPR. More shocking still, in my view: a good third (36 percent) of surveyed Mittelstand companies haven't even heard of the new data protection act.
That cannot be said of the insurance sector: our members have already spent years preparing for the conversion. After all, good data protection has always been extremely important to our business as it provides an essential basis for trust. That is why we were the first industry in Germany to introduce a Code of Conduct in 2012, whereby we made a voluntary commitment to data protection with the cooperation of the relevant authorities. The Code of Conduct will also be amended to comply with the GDPR. So we haven't fallen behind.
Nonetheless, we insurers are faced with a challenge, too: Debeka boss Uwe Laue spells out the implications of the conversion in an interview with our trade magazine “Positionen”: Debeka has held consultations and workshops with over 160 employees just to determine those areas in which action must be taken. This has resulted in a programme comprising, at one point, 14 projects involving employees from almost all areas. In addition to this enormous in-house undertaking, the Group has enlisted the services of lawyers and project managers outside the company. I also keep hearing from our other members how many changes they have to make to comply with the GDPR.
As a heavily regulated sector, our companies have an excellent understanding of implementing complex regulatory requirements: Solvency II has barely been implemented when the new distribution regulation IDD is upon us; new IT requirements (VAIT) and the new international accounting standard IFRS are already in the offing. On top of that, we now have a project of the scale of the GDPR to deal with, while changes to the other regulations, which have just been finalised, are already under discussion again.
This is a big ask, particularly of smaller companies. For that reason, it is always advisable to remain mindful of what is reasonable. Proportionality is the operative word. If eight percent of employee costs are for supervision alone, i.e. to keep pace with regulatory developments, I consider the following question as legitimate and necessary: Who is supposed to manage?
GDV subsidiary VdS wins Initiative Mittelstand IT innovation prize
Imagine the following scenario: if a Mittelstand company has to hire a specialised law firm, which takes weeks to familiarise itself with the company’s operations, simply for the company to state with a clear conscience that it has done everything to implement the GDPR, that is when regulation has gone too far, at least in terms of proportionality. Data protection lawyer Nico Härting criticised the provisions for being far too complex in a revealing interview: “no-one will achieve 100% compliance.” Our subsidiary company VdS has issued some practical assistance to make the process a bit more bearable for the Mittelstand and was awarded the Initiative Mittelstand IT innovation prize for its efforts.
Of course it is also true that data protection is nowhere near as important to many small businesses as it is for the insurance sector. We will continue to do all we can to uphold the protection and security of our customers’ data. At the same time, Nico Härting put it well when he said: “You have to be able to afford data protection compliance.”
Jörg von Fürstenwerth