Berlin, 15 September 2021 - An elaborate review process before the introduction of every digital tool, new decisions by the supervisory authorities on a regular basis and court rulings throughout Europe that can have an impact on one's own company - the data protection requirements put companies in Germany under constant pressure. At the same time, the supervisory authorities do not get good marks for their advice. Half of the companies (50 percent) say Germany is overdoing it with data protection. Two-thirds (66 percent) believe that strict data protection and the inconsistent interpretation of data protection in Germany make digitisation more difficult. These are the results of a representative survey of 502 companies with 20 or more employees in Germany commissioned by the digital association Bitkom. "Data protection is of particular importance in the digital economy and society. However, companies increasingly lack the ability to plan and reliability," says Susanne Dehmel, Executive Director of Bitkom. "Companies are under constant stress when it comes to data protection. They want to comply with data protection, but to do so they not only have to follow court rulings across Europe and know the different interpretations from the member states, but also have to deal with 18 different interpretations from data protection authorities in Germany alone. This is becoming increasingly difficult to cope with, especially for smaller companies."
Effort for data protection has permanently increased due to the GDPR
4 out of 10 (42 percent) companies state that they have had more work since the introduction of the GDPR - and that this will continue in the future. Another third (32 percent) even assume that the effort will continue to increase. Only 19 percent expect that their increased effort will slowly decrease again, and 6 percent no longer have any increased effort. At the same time, two-thirds of the companies (65 percent) have fully or largely implemented the GDPR, but three out of ten (29 percent) have only partially implemented it and just 5 percent are still at the very beginning. Smaller companies in particular are only making slow progress. Among large companies with 500 or more employees, for example, only 3 percent (2020: 2 percent) state that they have only partially implemented the GDPR, and among companies with 100 to 499 employees, the proportion has fallen from 28 to 12 percent within a year. In contrast, the number among smaller companies with 20 to 99 employees remains high at 33 percent (2020: 37 percent).
The companies that have not yet fully implemented the GDPR cite the fact that Corona has forced other priorities as the main reason (82 percent), but almost as many complain that the GDPR cannot be fully implemented at all (77 percent). 61 percent also lack the necessary human resources. Around one in two companies complains about ongoing adjustments due to new rulings and recommendations by the supervisory authority (47 percent) and the need for new audits of data transfers to countries outside the EU (45 percent). "Smaller companies in particular need more and better support in implementing the GDPR," says Dehmel. "There is often a lack of data protection expertise in small companies, so concrete and implementable handouts are needed, for example from the supervisory authorities."
In three out of four companies, data protection has already slowed down innovations
But the GDPR is not only causing expense, it is also slowing down innovation projects in the German economy. Three quarters of all companies (76 percent) state that innovation projects have failed due to specific requirements of the GDPR. And in 9 out of 10 companies (86 percent), projects have been stopped because of ambiguities in dealing with the GDPR. Most frequently affected was the establishment of data pools (54 percent), followed by process optimisations in the area of customer service (37 percent), projects to improve data use and the use of new technologies such as artificial intelligence or big data (36 percent each). And in every third company (33 percent), the use of cloud services was affected. "Digital technologies are the most important drivers of innovation across all industries. We need a better balance between data protection and data use," says Dehmel.
Legal uncertainty is an increasing problem in the implementation of the GDPR
In recent years, the problems with the implementation of the GDPR have increased significantly. More than three quarters (78 percent) of companies now say that legal uncertainty is the biggest challenge, compared to only 68 percent two years ago. Too many changes or adjustments to the requirements are the complaint of 74 percent, up from 59 percent in 2019. Inconsistent interpretation within the EU is an obstacle for 52 percent (this was not asked about in 2019, in 2020: 45 percent), and a lack of financial resources is cited by 37 percent, more than twice as many as in 2019 with 18 percent. Challenges that companies can directly influence, on the other hand, are not gaining in importance: difficult technical implementation continues to hinder 34 percent, a lack of qualified employees is cited by only 33 percent (2019: 37 percent) and a lack of support within the company is seen by only 8 percent (2019: 13 percent).
In parallel, dissatisfaction with the supervisory authorities is growing. Two-thirds (66 percent) criticise the lack of implementation support from the supervisory authorities, compared to only 53 percent two years ago. "If problems such as legal uncertainty or a lack of implementation support by the supervisory authorities are increasing, then something is obviously going wrong," warns Dehmel. "Normally, the problems are big at the beginning of a new legislation and then become smaller with first experiences, decisions and more numerous assistance."
Supervision provides too little useful support
Even with specific questions, only a minority receives support from supervision. A quarter (24 per cent) have already asked for help in implementing data protection regulations, but have not received an answer. A similar number (28 per cent) have received a reply, but it was not helpful. Only 3 in 10 (29 percent) say they have also received help in response to their question: 64 percent of them in the form of guides, 32 percent with individual counselling, 27 percent in group counselling. Of the companies that have received assistance, 12 percent say they were very satisfied with it, 19 percent were somewhat satisfied. But 41 percent were rather not satisfied and 25 percent not at all satisfied. "In order to sustainably promote data protection in companies, it is not enough to process complaints and impose fines for proven violations," says Dehmel. "Much more could be achieved for data protection in practice if the supervisory authorities took preventive action and supported companies in the practical implementation of data protection requirements by providing concrete information and practical recommendations."
The main reason for companies not to ask for help was not the lack of need for support. Only 1 per cent said they did not need help. But one in three (34 per cent) refrained from asking because other companies reported bad experiences. One in four does not even know that the supervisor offers help (26 percent) or assumes that the quality of help there is not good (25 percent). Around one in five (18 per cent) are afraid that the supervisor will find out about their own problems. And 16 percent think that the supervisor is not interested in solving problems at all.
The economy relies on data transfers to non-EU countries
With the abolition of the Privacy Shield through the so-called Schrems II ruling of the ECJ, the most important basis for the EU-US data exchange has ceased to exist. International data transfers to non-EU countries play a major role for the German economy. Every second company (48 percent) exchanges data with external service providers outside the EU, every fourth (25 percent) with business partners there and 12 percent with other corporate units. Of these, 52 percent transfer data to the USA, 35 percent to Great Britain, 18 percent to Russia and 13 percent to India. China (8 per cent), Japan (7 per cent) and South Korea (4 per cent) are also frequently mentioned.
The reasons for international data transfers to non-EU countries are manifold. 9 out of 10 companies (85 percent) use cloud offerings that store data outside the EU, and two-thirds (68 percent) use service providers worldwide, for example for 24/7 security support. Half (52 per cent) use communication systems that store data outside the EU, one in five (22 per cent) have sites outside the EU. And 13 percent work with partners in non-EU countries, for example in research and development.
If personal data could no longer be processed outside the EU, this would have serious consequences for companies and the German economy as a whole. According to 62 percent, they would then no longer be able to offer certain products and services, 57 percent fear competitive disadvantages compared to companies from non-EU countries. In this case, 54 percent each expect higher costs and that they would no longer be able to maintain their global security support. Four out of ten companies each expect a disruption of their global supply chains (41 per cent) and quality losses in their own products and services (39 per cent), 31 per cent would have to change their corporate structure. 12 percent of the companies would fall behind in the innovation competition and 3 percent would have to discontinue their business activities, according to their own statements. No company expects that an end to the transfer of personal data would be without consequences for its business activities. "Data transfers to non-EU countries are as important for the German economy as international supply chains. This is not a nice-to-have, but the core of an increasingly digitalised economy in the 21st century," says Dehmel. "Politicians urgently need to create a framework that brings legal certainty for companies and is actually implementable in practice."
The next federal government must put data protection on the agenda
At the top of the list of companies' wishes for the next federal government on data protection is the demand for an adaptation of the GDPR (89 percent). Around two-thirds want data protection regulations to be more standardised across Europe (68 percent) and the federal laws in Germany to be harmonised. 6 out of 10 each advocate the abolition of state data protection authorities (60 percent) and better access to public sector data (57 percent). About half expect a hard line towards the US in negotiations on international data transfers (46 per cent). And a third (32 per cent) see a political solution for international data transfers as an urgent task.