After 5 years: GDPR only receives the grade "sufficient"

• Companies consider EU data protection too impractical and too complicated
• At the same time, however, the GDPR leads to more data security and greater trust
• In practically every company, innovation projects have failed because of data protection

Berlin, 5th October 2023 - After five years, German companies do not give the European General Data Protection Regulation a good report card: The GDPR, which has been in force since May 2018, only receives the grade "sufficient" (representing a 3.9 in the German grading system). Although two thirds (65 percent) of companies have now fully or largely implemented the regulations, the challenges are still great. The main complaints are that the GDPR makes business processes more complicated (78 percent) and is too impractical (77 percent). This is the result of a representative survey commissioned by the digital association Bitkom among 503 companies with 20 or more employees in Germany. 56 percent experience that the development of new products and services is delayed by the GDPR and around half (48 percent) find that innovations from other regions cannot be used in the EU because of the GDPR. 59 percent have the impression that the supervisory authorities are using the GDPR to enforce their view of the world. At the same time, the companies also highlight advantages of the data protection rules in the five-year review: data security in the company has improved and the GDPR sets standards worldwide (61 percent each), in addition, trust in digital processes has been strengthened (51 percent) and the competitive conditions in the EU are now more uniform (45 percent). 12 percent think that the GDPR should be tightened to better protect citizens. "Even after five years, there is unfortunately more shadow than light in the GDPR. The goal of creating a uniform data protection framework with high standards for Europe was and remains correct. But implementation and interpretation in practice mean that this goal has not yet been achieved. Companies are struggling with the permanent task of data protection," says Susanne Dehmel, member of the Bitkom management board.

GDPR: Effort has increased - and is not going to decrease

Every second company (50 percent) has had higher expenses for data protection since the introduction of the GDPR and expects this to continue (2022: 47 percent). One in three (33 percent) has a higher effort and expects this to increase further (2022: 30 percent). 86 percent of those responsible for data protection in companies barely manage to follow all current data protection developments in case law (2022: 81 percent). Three quarters (74 percent, 2022: 64 percent) state that data protection in Germany has become so complicated that they find it difficult to educate employees about data protection. 58 percent say that they are perceived in the company primarily as people with concerns (2022: 50 percent).

A clear majority of 7 out of 10 companies (69 percent) see the GDPR as a disadvantage in international competition compared to other companies that are not subject to the GDPR. "Data protection in Germany has become so complicated that even the professionals can hardly keep up. At the same time, data protection affects more and more areas of our economy, but also our everyday life in a digital world," says Dehmel. "We need data protection that is understandable and practical."

As the biggest challenge in implementing the GDPR, 92 percent cite that implementation is never fully completed. 86 percent state that the roll-out of new digital tools always restarts the audit. 82 percent complain about legal uncertainty regarding the exact requirements of the GDPR, 56 percent about a lack of advice from the supervisory authorities and 54 percent about requirements being fundamentally too high. 48 percent see the inconsistent interpretation of the GDPR in Europe as one of the biggest challenges, 35 percent see the inconsistent interpretation in Germany. But internal company reasons also play a role: 50 percent say the necessary IT conversions cost a lot of time, 41 percent are inhibited by a lack of financial resources, 26 percent by the lack of qualified employees. Only 15 percent see an obstacle in the lack of involvement of data protection officers, 10 percent in the fundamental lack of support in the company. "There is no lack of will on the part of companies to implement the GDPR, but it is not made easy for them by politicians and authorities," says Dehmel.

Data protection is a brake for innovation in companies

In all companies (100 percent), the GDPR has led to innovative projects failing or not even being started in the past twelve months. In 86 percent of the companies, the specific requirements of the GDPR were the cause, and in 92 percent, there was a lack of clarity in its application. Most affected are innovation projects to build up data pools (59 percent, plus 7 percentage points) and to optimize processes in customer care (47 percent, plus 2 percentage points). In about one in three companies, the issues were the use of new data analysis tools (37 percent, minus 1 percentage point), the digitalization of business processes through new software (37 percent, plus 3 percentage points), the use of artificial intelligence (34 percent, asked for the first time), the use of cloud services (32 percent, minus 5 percentage points), and the use of software from global providers and platforms (32 percent, plus 6 percentage points). 26 percent report problems with the integration of additional digital tools (minus 2 percentage points). "Data protection shall not slow down digital innovations to this extent," says Dehmel. "If you look at the momentum around AI right now, then months of delays mean a serious competitive disadvantage for Germany."

Opinions differ widely on the question of the influence of data protection on AI. 44 percent think that data protection creates legal certainty for the development of AI applications, but 56 percent warn that data protection will drive companies developing AI out of the EU.

Without international data transfers, little works in the German economy

German companies are heavily dependent on international data transfers to countries outside the EU. Only 36 percent of companies manage without such data exchange. 44 percent of companies transfer data to external service providers, 29 percent to business partners for joint purposes and 17 percent to group subsidiaries or other group units. The most important destination country for international data transfers remains the USA. 64 percent of the companies that transfer data internationally have data processed in the USA. This is followed by Great Britain (39 percent), India (17 percent), China (9 percent), Japan (6 percent), Ukraine (5 percent) and South Korea (3 percent). As in the previous year, no company transfers anymore data to Russia.

Companies transfer data outside the EU for two main reasons: cloud and communication. 94 per cent use cloud offers from providers outside the EU, 83 per cent use corresponding communication or video conferencing systems. 56 percent use service providers worldwide, for example to maintain round-the-clock security support. 32 per cent use services in non-EU countries, for example for billing or database management. And 27 per cent have company locations outside the EU, 20 per cent work with non-EU partners, for example in research and development. "There is no singular reason for international data transfers - and it is not a matter of nice to have, but of absolutely necessary tasks that cannot be mapped arbitrarily within the EU borders, as is often claimed in the debate," says Dehmel.

Accordingly, a possible ban on international data transfers would affect all companies (100 percent). 68 per cent expect competitive disadvantages, 58 per cent expect higher costs and 56 per cent expect that international supply chains will no longer function. Around half (52 percent each) would no longer be able to maintain global security support or offer certain products or services. In such a case, 31 per cent would have to reorganize their corporate data processing, 23 per cent fear worse products and services and 21 per cent fear falling behind in the innovation competition. "International data transfers do not affect a few companies or only large, global corporations, but the German economy depends on them across the board," says Dehmel. "It is good that the EU and the USA have agreed on a successor agreement to the Privacy Shield. It is important that it does not lead to new uncertainties and legal insecurities."

A good 5 years after the introduction of the GDPR: growing desire for political action

A good five years after the entry into force of the GDPR, the desire for political action is growing among companies. 95 percent want the many special and specific regulations on data protection to be merged (2022: 94 percent). 87 percent advocate an adaptation of the GDPR (2022: 84 percent), 79 percent for a standardization of data protection regulations within the EU (74 percent). With regard to Germany, 67 percent want federal laws on data protection to be harmonized (2022: 67 percent) and 66 percent want data protection supervision in Germany to be standardized (2022: 51 percent). 71 percent want access to public sector data to be improved for companies (2022: 62 percent). "With increasing digitalization, data protection issues touch the core of the vast majority of companies. Accordingly, the importance of data and its responsible use must become an even stronger focus of politics and should not be the task of data protection officers alone," says Dehmel.