The vast majority of companies have now implemented the requirements of the GDPR, as shown by a representative survey commissioned by the digital association Bitkom, which was published this Tuesday.
In practice, however, many of the 503 companies surveyed for the study with 20 or more employees in Germany still see themselves as being hampered in their work by the regulations or even at a disadvantage compared to companies in other EU countries.
Only every second company (50 percent) believes that the GDPR will lead to uniform competitive conditions within the EU. After all, 70 percent do not yet see EU-wide uniform data protection due to the different interpretations of the regulations in the member states.
A total of 40 percent of the companies surveyed in the Bitkom study see no competitive advantage for themselves through the GDPR on the international market – and 30 percent even see competitive disadvantages.
>> Read here: Russian cyber attacks on German companies are increasing by leaps and bounds
Bitkom CEO Bernhard Rohleder thinks the idea of the GDPR to create a uniform data protection framework with high standards for Europe is right. “So far, however, it has not been possible to derive the competitive advantage that is often claimed,” he said.
In the opinion of the companies, the fact that the implementation of the GDPR has not yet progressed is mainly due to reasons for which they are not responsible. Above all, they are confronted with legal uncertainty and a contradictory interpretation of data protection regulations within Europe and between the federal states.
88 percent state that the implementation of the GDPR has never been fully completed, for example because there are always new guidelines. 78 percent see existing legal uncertainties regarding the requirements of the GDPR as an obstacle. 77 percent have found that rolling out new tools always triggers a new test.
Stricter data protection is slowing down digitization
Two-thirds of the companies surveyed found that the strict data protection in Germany made digitization more difficult (68 percent), for almost as many the inconsistent data protection inhibited digitization (65 percent). And 61 percent say Germany is overdoing it with data protection – a year ago the proportion was still 50 percent.
Bitkom expert Rohleder also warns: “Data protection must not become an end in itself.” Especially since the rules are not applied uniformly either within the EU or within Germany. “In the long run, Germany cannot afford 18 different data protection interpretations,” said Rohleder. “Whether in Munich or Hamburg, in Cologne or Schwerin: At least within Germany, the same data protection rules must apply.”
Data protection as a barrier to innovation
More frequently than in the previous year, companies are reporting that at least one innovation project has failed in the past twelve months due to data protection or was not tackled at all. In 82 percent of the companies, this was due to specific GDPR specifications (2021: 75 percent), in 93 percent to ambiguities in dealing with the specifications (2021: 86 percent).
Specifically, in every second company this concerns the establishment of data pools, in 45 percent process optimization in the area of customer care, in 38 percent the use of new data analysis tools and in 37 percent the use of cloud services. Around every third company (34 percent) was set back by new software when it came to innovations for the digitization of business processes, 33 percent when using new technologies such as artificial intelligence (AI).
Rohleder points out that digitization is crucial for the competitiveness of German companies and for their resilience to crises. Digital technologies are also the most important innovation drivers for all industries. “Privacy shouldn’t consistently mean things not getting done, rather privacy should help get things done right and ultimately serve the people. “
Help from data protection supervision often insufficient
The data protection supervisory authorities in the federal states and the federal government have a special role to play. Around half of the companies (54 percent) have already received help from them in the implementation of data protection requirements. But the quality of the help also varies greatly.
Of the companies that contacted regulators, 12 percent were very satisfied and 28 percent were fairly satisfied with the help offered. But 34 percent were not satisfied and 22 percent were not at all satisfied.
Susanne Dehmel, member of the Bitkom management, explained: “Data protection in Germany would be served if the supervisory authority provided much more support in the practical implementation of the data protection requirements.” This included “practical” recommendations as well as specific information.
The lack of a data protection agreement with the USA puts a strain on companies
Data transfers to non-EU countries continue to be of great importance for the German economy. The fact that the European Court of Justice (ECJ) overturned the data protection agreement “Privacy Shield” between the EU and the USA two years ago still poses massive problems for many companies that exchange data with the USA.
>> Read here: Brake on innovation or surveillance state – visions of the future collide when it comes to AI regulation
59 percent of them have transferred data to the USA in the past on the basis of the “Privacy Shield”. Today, the vast majority use Standard Contractual Clauses (91 percent). A quarter each uses consent (27 percent) or binding corporate rules, so-called “Binding Corporate Rules” (26 percent).
Because the reasons for data transfers are varied, you cannot simply turn them off by using alternative services, said Bitkom expert Dehmel. For the German economy, the consequences of a cessation of international data exchange would be serious. Dehmel therefore called on politicians to quickly create a framework “which at the same time creates legal certainty for companies and is really practical”.
Companies are also putting pressure on themselves. After all, 55 percent call for a hard line towards the USA in negotiations on international data transfers.
More: Authorities – Significantly more data protection violations in the Corona period.