An elaborate review process before the introduction of any digital tool, new decisions by the supervisory authorities on a regular basis, and court rulings throughout Europe that can have an impact on a company's own business - data protection requirements are putting companies in Germany under constant pressure. At the same time, the supervisory authorities are not getting good marks for their advice.
Half of the companies (50 percent) say Germany is overdoing it with data protection. Two-thirds (66 percent) believe that strict data protection and the inconsistent interpretation of data protection in Germany are hampering digitization. These are the findings of a representative survey of 502 companies with 20 or more employees in Germany commissioned by the digital association Bitkom.
Effort unmanageable
"Data protection is of particular importance in the digital economy and society. However, companies are increasingly lacking predictability and reliability" says Susanne Dehmel, Bitkom's business director. "Companies are under constant stress when it comes to data protection. They want to comply with data protection laws, but to do so they not only have to follow court rulings across Europe and be aware of the different interpretations from the member states, but also have to deal with 18 different interpretations from data protection authorities in Germany alone. This is becoming increasingly difficult, especially for smaller companies."
Four out of ten companies (42 percent) state that they have had more work since the introduction of the GDPR - and that this will continue in the future. Another third (32 percent) even assume that the effort will continue to increase. Only 19 percent expect their increased effort to slowly decrease again, while six percent no longer have any increased effort. At the same time, two-thirds of companies (65 percent) have implemented the GDPR in full or for the most part, but 29 percent have only partially implemented it and just five percent are still at the very beginning. Smaller companies in particular are making slow progress.
Innovations thwarted
The companies that have not yet fully implemented the GDPR cite the fact that Corona has forced other priorities as the main reason (82 percent), but almost as many complain that the GDPR cannot be fully implemented at all (77 percent). 61 percent also lack the necessary human resources. Around one in two companies complain about ongoing adjustments due to new rulings and recommendations from the supervisory authority (47 percent) and the need for new audits of data transfers to countries outside the EU (45 percent).
"Smaller companies in particular need more and better support in implementing the GDPR" says Dehmel. "There is often a lack of data protection expertise in small companies, so concrete and implementable handouts are needed, for example from the supervisory authorities."
However, the GDPR is not only causing expense, it is also slowing down innovation projects in the German economy. Three quarters of all companies (76 percent) report that innovation projects have failed due to specific requirements of the GDPR. And in 86 percent of companies, projects have been stopped because of ambiguities in dealing with the GDPR.
Most frequently affected was the establishment of data pools (54 percent), followed by process optimization in the area of customer support (37 percent), projects to improve data utilization and the use of new technologies such as artificial intelligence or Big Data (36 percent each). And in every third company (33 percent), the use of cloud services was affected.
In recent years, problems with GDPR implementation have increased significantly. More than three quarters (78 percent) of companies now say that legal uncertainty is the biggest challenge, compared with just 68 percent two years ago. Too many changes and adjustments to the requirements are the complaint of 74 percent. Inconsistent interpretation within the EU hinders 52 percent, and a lack of financial resources is cited by 37 percent.