NEWS

The implementation of the General Data Protection Regulation(GDPR) has been a challenge for many German companies. According to a survey by the digital association Bitkom, three out of four companies in Germany missed the deadline of May 25, 2018.

Implementation of data protection rules still unclear in many areas

The implementation of the General Data Protection Regulation(GDPR) has been a challenge for many German companies. According to a survey by the digital association Bitkom, three out of four companies in Germany missed the deadline of May 25, 2018.

"Even now, not all companies are by far finished with the implementation.  GDPR has cost companies a lot of time and money and still demands a lot of work," says Susanne Dehmel, member of Bitkom's management board. "The main difficulty is that with many specifications it is not clear what exactly they mean. Even the data protection supervisory authorities cannot agree on a uniform interpretation of certain regulations. How can companies be sure that they are doing the right thing?“

According to Dehmel, smaller companies in particular are disproportionately affected by the new regulations. "Due to the many formal requirements, existing processes have to be converted and new processes introduced. This is costing small companies their already scarce resources. As a rule, they also do not have their own legal expertise, but have to buy it at a high price in case of doubt". Thus, the basic ordinance makes no distinction between a startup, a non-profit association or a large international corporation. "Improvements are needed," says Dehmel.

Consequences of the GDPR for companies

An example of the additional effort is the extended information obligations towards customers and business partners. From Bitkom's point of view, it is neither sufficiently certain that the provision of information via a link to a website is sufficient, nor is it clear how concrete and comprehensive the information must be in detail. The obligation to provide information about data processing also applied to websites in the past. However, this was not so extensive. With the extension of the regulation, the question now also arises of how the obligation to provide information is to be fulfilled in everyday processes such as business card transfers, e-mail traffic, customer cards in restaurants and shops.

The completely new right to data portability is also difficult to implement in practice. The GDPR gives individuals the right to receive or have sent to another service the data they have provided to a responsible person in a structured, common and machine-readable format. "For many companies it has still not been clarified which data is included and from when the rights of other data subjects could be violated," says Dehmel.

Who is responsible for data processing?

From Bitkom's point of view, contracts in the services sector are currently being delayed because the parties to the contract often do not agree whether or not it is an order processing that requires the conclusion of a special data processing agreement. There are different views here, also among the supervisory authorities. This question is important because personal data can only be lawfully processed in an order if such an agreement has been concluded. If, on the other hand, the constellation is different, other prerequisites for legal processing apply.

Dehmel: "In any case, the Basic Data Protection Ordinance has contributed to greater data protection awareness among organisations in Germany. Whether the many changes and formalities have also led to significantly better and above all future-oriented data protection, however, must be doubted. Legal uncertainties in the use of Big Data and AI applications had not been removed by the regulation either. "Modernising data protection law and striking a balance between data protection and other legitimate interests of society and business remains on the agenda.

Note on methodology:

The data is based on a survey conducted by Bitkom Research on behalf of Bitkom. 505 persons responsible for data protection (data protection officers, managing directors, IT managers) from companies in all industries with 20 or more employees in Germany were surveyed. The survey is representative.

Teilen