GDPR only brings competitive advantages to very few companies

  • Unclear regulations and inconsistent interpretation of the General Data Protection Regulation cause problems for business
  • 93 percent of companies have ramped up investments in data protection

The European General Data Protection Regulation is still a long way from its goal of creating uniform data protection rules in Europe. This is despite the fact that the vast majority of companies have now implemented the requirements of the GDPR. This is shown by a representative survey commissioned by the digital association Bitkom among 503 companies with 20 or more employees in Germany. 67 percent praise the fact that the GDPR sets global standards for the handling of personal data. And every second company (50 percent) believes that the GDPR will lead to a level playing field within the EU. But 70 percent do not yet see uniform data protection across the EU due to the different interpretations of the GDPR in the member states. And the assessment with regard to their own company is also predominantly critical. Thus, 40 percent cannot see any competitive advantage for their own company on the international market due to the GDPR - and 30 percent even see competitive disadvantages. This contrasts with 16 and 13 percent, respectively, who see the GDPR as a minor or major competitive advantage. "The idea of the GDPR to create a uniform data protection framework with high standards for Europe was and is correct. So far, however, it has not been possible to draw the often claimed competitive advantage from it," says Dr Bernhard Rohleder, CEO of Bitkom.

Data protection effort is ramped up for the GDPR

The vast majority have now implemented the GDPR, either fully (22 percent) or for the most part (40 percent). A third (33 percent) consider themselves to have only partially reached their goal, only 2 percent have only just begun implementation - and no company has done nothing yet. Practically all companies have increased their data protection efforts since the introduction of the General Data Protection Regulation (GDPR). 16 percent note that this is slowly decreasing again, but 47 percent expect the effort to remain at the same level, 30 percent even expect the already increased effort to increase further. Only 6 percent see no additional effort, and for no company has the effort decreased. "The GDPR is not a point plan that you take on and then implement once," says Rohleder. "It requires permanent efforts, especially in the introduction of new business processes and digital technologies, and the constant reaction to new interpretations, for example through court rulings or notices from the numerous supervisory authorities," Rohleder said.

GDPR: Mainly external factors slow down

According to the companies, the fact that the implementation of the GDPR is not yet further along is mainly due to reasons for which they are not responsible. Above all, they are confronted with legal uncertainty and a contradictory interpretation of the data protection requirements within Europe and between the federal states. For example, 88 percent state that the implementation of the GDPR is never fully completed, for example because there are new guidelines. 78 percent see existing legal uncertainties regarding the requirements of the GDPR as an obstacle. 77 percent have found that the rolling out of new tools always sets a new test in motion. 57 percent see the inconsistent interpretation of the GDPR within the EU as an obstacle, 40 percent the inconsistent interpretation in Germany. And 52 percent complain about a lack of advice from supervisory authorities. But internal company reasons also slow down the implementation of the GDPR. 45 percent say the necessary IT and system changes cost a lot of time, 32 percent lack financial resources, 24 percent lack qualified employees. Around one in four companies (23 per cent) only insufficiently integrates the data protection officers, 15 per cent see a general lack of support in the company.

Accordingly, companies are currently critical of the implementation of data protection in Germany. Two-thirds state that the strict data protection in Germany hinders digitisation (68 percent), for almost as many, the inconsistent data protection hinders digitisation (65 percent). And 61 percent say Germany is overdoing it with data protection - a year ago, the figure was still 50 percent. "Data protection must not become an end in itself," says Rohleder. "From the companies' point of view, the GDPR has not yet succeeded in standardising data protection, neither within the EU nor within Germany. Germany cannot afford 18 different data protection interpretations in the long run. Whether in Munich or Hamburg, in Cologne or Schwerin: at least within Germany, the same data protection rules must apply."

Companies are more often forced to stop innovation projects

More often than in the previous year, companies report that at least one innovation project failed or was not started at all in the past twelve months due to data protection. In 82 percent of the companies, this was due to specific GDPR requirements (2021: 75 percent), in 93 percent due to lack of clarity in dealing with the requirements (2021: 86 percent). Specifically, this relates to the establishment of data pools in every second company (52 percent, -2 percentage points compared to 2021), process optimisation in the area of customer care in 45 percent (+8 %P), the use of new data analysis tools in 38 percent (+8 %P) and the use of cloud services in 37 percent (+4 %P). Around one in three companies (34 per cent) were set back by new software when innovating to digitise business processes (+11 %P), 33 per cent when using new technologies such as AI (-3 %P), 28 per cent when incorporating additional digital tools (+12 %P) and 26 per cent when using software from global vendors and platforms (+9 %P). "Digitisation is crucial for the competitiveness of German companies and for their crisis resilience. Digital technologies are also the most important innovation drivers for all industries," said Rohleder. "We need a balance between data use and data protection. Data protection must not regularly lead to things not being done; rather, data protection must support things being done right and ultimately serve people. "

Data protection supervision must work on its reputation

The data protection supervisory authorities in the federal states and the federal government have a special role to play here. About half of the companies (54 percent) have already received assistance from them in implementing data protection requirements. 32 percent have had personal contact, 22 percent have only used existing information material. However, 16 percent have not asked for help - and 27 percent have asked but not received an answer. And the quality of the assistance apparently also varies greatly. Of the companies that have used assistance, 12 percent are very satisfied and 28 percent are rather satisfied, but 34 percent are rather not satisfied and 22 percent are not satisfied at all. "Data protection in Germany would be served if the supervisory authority provided much more support in the practical implementation of data protection requirements," says Susanne Dehmel, member of the Bitkom management board. "This includes practical recommendations as well as concrete information. It must be a joint effort to translate data protection requirements into lived processes and business models."

The companies that have received personal assistance predominantly (65 percent) praise the friendly advice. 46 percent also say that the contact person was competent. 40 percent praise the quick processing of the request, and just as many were able to implement innovative, data-driven projects more quickly with the support of the supervisors. Conversely, however, 44 percent have the impression that the supervisory authority has mainly put obstacles in their way.

Among the companies that have not yet asked for help from the supervisory authority, none state that no assistance is needed. A quarter (27 percent) did not have the time, 20 percent did not know that the supervisory authority also provides advice. Often, however, the lack of contact is also due to the bad reputation of the supervisor. 33 percent think that the quality of the assistance is not good, 30 percent have heard about bad experiences of other companies. 16 percent are concerned that the supervisor only becomes aware of problems by asking questions, 13 percent fear that the supervisor is not interested in solving problems. And 1 percent are of the opinion that the supervisory authority is not responsible for providing assistance, but only for imposing penalties.

International data transfers are indispensable for Germany

Data transfers to non-EU countries continue to be of great importance for the German economy. Thus, only 40 percent (2021: 44 percent) state that they do not transfer personal data to countries outside the EU. 47 percent transfer such data to external service providers, 22 percent to business partners for joint purposes and 16 percent to other group units or subsidiaries. For those companies that use international data transfers to non-EU countries, the USA is the most important destination (59 percent), ahead of the UK (32 percent), India (13 percent), Japan (9 percent) and South Korea (5 percent). 4 per cent transfer data to China, and the same number to Ukraine. Russia, on the other hand, has become insignificant, with practically no company (0 per cent) transferring personal data to it any more. Before the war of aggression on Ukraine, the share was still 18 percent in 2021.

The abolition of the Privacy Shield has caused massive problems for many companies that exchange data with the USA. In the past, 59 percent of them transferred data to the USA on the basis of the Privacy Shield. Today, the vast majority use standard contractual clauses (91 percent). A quarter each use consent (27 percent) or so-called Binding Corporate Rules (26 percent).

The reasons for international data transfers are manifold. The most frequently cited reason is the use of cloud services (89 per cent), followed by the use of communication systems that transfer data there (67 per cent) and the use of global service providers, for example for 24/7 support (61 per cent). This is followed at a considerable distance by the use of services such as billing or database management (29 per cent), own company locations outside the EU (25 per cent) or cooperation with partners outside the EU (16 per cent). "Because the reasons for data transfers to countries are so diverse, they cannot simply be eliminated by using alternative services, as is often suggested in the debate," says Dehmel.

The consequences for the German economy would be serious if the international exchange of data with countries outside the EU were to cease. 60 per cent of companies that currently process data outside the EU would then no longer be able to maintain global security support, 57 per cent would no longer be able to offer certain products and services and 55 per cent would be at a competitive disadvantage compared to companies from non-EU countries. Around every second company expects that global supply chains would then no longer function (48 percent) and higher costs would arise (47 percent). 37 percent would have to change their corporate structure completely, 30 percent fear a lower quality of their products and services and 20 percent would fall behind in the innovation competition. "Data transfers to non-EU countries have the same significance for companies as the international exchange of goods and global supply chains. Policymakers must quickly create a framework that at the same time creates legal certainty for companies and is truly practical," says Dehmel.

What companies expect from politics when it comes to data protection

Therefore, 4 out of 10 companies (39 percent) expect politicians to implement a political solution for international data transfers, 55 percent demand a hard line towards the USA in negotiations for international data transfers. At the top of the agenda for policymakers, however, are measures for more uniformity and legal certainty in data protection, according to the business community. For example, 94 percent of companies want the many special regulations on data protection and data use to be brought together. 84 percent are in favour of adapting the GDPR, 74 percent are in favour of further European standardisation of data protection regulations. 67 percent want the federal laws in Germany to be aligned in data protection and 51 percent are in favour of a standardisation of data protection supervision in Germany. 62 percent advocate better access to public sector data for companies. "It's not about less data protection, it's about better data protection," Dehmel summarises the position of businesses. "We need rules that companies can implement in everyday life and, above all, a uniform interpretation of the regulations, in Germany and in Europe. This will allow us to successfully shape the digitalisation of the German economy and thus secure our global competitiveness, but also our ability to master global challenges such as climate protection or social resilience in times of crisis."