This article examines the implementation of digitalisation projects in the public sector as a function of data protection regulations. Law can be either a driver or a restraint of digital innovation. Expecting that data protection considerations could impede a technical solution, bureaucratic organisations reject possible solutions in the early stages of a project. Commercial enterprises, on the other hand, tend to act on the premise that the first step should be to develop solutions, which do not explicitly violate data protection rules. Users (citizens/clients) are partly directly affected as acting stakeholders, partly their interests are represented by data protection authorities. These authorities play the role of "prophets" who interpret and construe the General Data Protection Regulation (GDPR). Their judgement on good and appropriate data protection is justified by the belief that they are acting as a trustee for the users as beneficiaries. However, the powerful role of data protection authorities means that the good intention of protecting personal data becomes a compulsory exercise that is perceived as a burden.

The case study of the project "ID Ideal" in Saxony (Germany) demonstrates the impact of data protection on the development and realisation of applications based on the concept of Self-Sovereign-Identities (SSI). In the area where administration, economy and society overlap, use cases are designed for the real-life adoption of SSI-based solutions. Only privacy-compliant applications achieve the necessary level of trust, which enables their (voluntary) provision and use. Thus, data protection in the broader sense is addressed under the heading of "acceptability and usability".

However, the topic of data protection is always an elephant in the room in the "ID Ideal" showcase project. In the project management process, data protection issues are excluded for the time being, even for internal processes within the public administration. So the project is driven by the spirit of demonstrating which regulatory provisions may have to be adapted - and not so much about which technology is allowed by the regulatory framework.