GDPR brings competitive advantages to just a few companies

• Unclear regulations and inconsistent interpretation of the General Data Protection Regulation cause problems for business
• 93 percent of companies have ramped up investments in data protection

The European General Data Protection Regulation is still a long way from its goal of creating uniform data protection rules in Europe. This is despite the fact that the vast majority of companies have now implemented the requirements of the GDPR. This is shown by a representative survey commissioned by the digital association Bitkom among 503 companies with 20 or more employees in Germany. 67 percent praise the fact that the GDPR sets global standards for the handling of personal data. And every second company (50 percent) believes that the GDPR will lead to a level playing field within the EU. But 70 percent do not yet see uniform data protection across the EU due to the different interpretations of the GDPR in the member states. And the assessment with regard to their own company is also predominantly critical. For example, 40 percent cannot see any competitive advantage for their own company on the international market as a result of the GDPR - and 30 percent even see competitive disadvantages. This contrasts with 16 and 13 percent, respectively, who describe the GDPR as a minor or major competitive advantage. "The idea of the GDPR to create a uniform data protection framework with high standards for Europe was and is correct. So far, however, it has not been possible to draw the often claimed competitive advantage from it," says Bitkom CEO Dr. Bernhard Rohleder.

Data protection efforts are being ramped up for the GDPR

The vast majority have now implemented the GDPR, either fully (22 percent) or largely (40 percent). A third (33 percent) consider themselves to have only partially reached their goal, and only 2 percent have only just begun implementation - and no company has done nothing yet. Virtually all companies have ramped up their data protection efforts since the introduction of the General Data Protection Regulation (GDPR). 16 percent note that this is slowly decreasing again, but 47 percent expect the effort to remain at the same level, and 30 percent even expect the already increased effort to increase further. Only 6 percent see no additional effort, and for no company has the effort decreased. "The GDPR is not a point plan that you take on and then implement once," said Rohleder. "It requires sustained effort, especially in the introduction of new business processes and digital technologies, and a constant response to new interpretations, for example through court rulings or notices from the numerous supervisory authorities," Rohleder said.

GDPR: Mainly external factors slow down

According to the companies, the fact that implementation of the GDPR is not yet further along is mainly due to reasons for which they are not responsible.  They are primarily confronted with legal uncertainty and contradictory interpretations of the data protection requirements within Europe and between the German states.  For example, 88 percent state that the implementation of the GDPR is never fully completed, for example because there are new guidelines. 78 percent see existing legal uncertainties regarding the requirements of the GDPR as an obstacle. 77 percent have found that the rolling out of new tools always sets a new test in motion. 57 percent see the inconsistent interpretation of the GDPR within the EU as an obstacle, 40 percent the inconsistent interpretation in Germany. And 52 percent complain about a lack of advice from supervisory authorities. But internal company reasons are also slowing down the implementation of the GDPR. 45 percent say the necessary IT and system changes cost a lot of time, 32 percent lack financial resources, and 24 percent lack qualified employees. Around one in four companies (23 percent) do not adequately involve data protection officers, and 15 percent see a general lack of support within the company.

Accordingly, companies are currently critical of the implementation of data protection in Germany. Two-thirds state that strict data protection in Germany makes digitization more difficult (68 percent), and for almost as many, inconsistent data protection inhibits digitization (65 percent). And 61 percent say Germany is overdoing it with data protection - a year ago, the figure was just 50 percent. "Data protection must not become an end in itself," says Rohleder. "From the companies' point of view, the GDPR has not yet succeeded in standardizing data protection, either within the EU or within Germany. Germany cannot afford 18 different data protection interpretations in the long run. Whether in Munich or Hamburg, in Cologne or Schwerin: at least within Germany, the same data protection rules must apply."

Companies are more often forced to stop innovation projects

More frequently than in the previous year, companies report that at least one innovation project failed or was not even started in the past twelve months due to data protection. In 82 percent of companies, this was due to specific GDPR requirements (2021: 75 percent), and in 93 percent due to lack of clarity in dealing with the requirements (2021: 86 percent). Specifically, this relates to the establishment of data pools in one in two companies (52 percent, -2 percentage points compared to 2021), process optimization in the area of customer support in 45 percent (+8 %P), the use of new data analysis tools in 38 percent (+8 %P) and the use of cloud services in 37 percent (+4 %P). Around one in three companies (34 percent) were set back by new software when innovating to digitize business processes (+11 %P), 33 percent when using new technologies such as AI (-3 %P), 28 percent when incorporating additional digital tools (+12 %P) and 26 percent when using software from global vendors and platforms (+9 %P). "Digitization is crucial for the competitiveness of German companies and for their crisis resilience. Digital technologies are also the most important innovation drivers for all industries," said Rohleder. "We need a balance between data use and data protection. Data protection must not regularly lead to things not being done; rather, data protection must support them being done right and ultimately serving people. "

Data protection supervisors need to work on their reputation

The data protection supervisory authorities in the states and the federal government have a special role to play here. Around half of the companies (54 percent) have already received assistance from them in implementing data protection requirements. 32 percent have had personal contact, while 22 percent have only used existing information material. However, 16 percent have not asked for any help - and 27 percent have asked but received no response. And the quality of assistance also appears to vary widely. Of the companies that have used assistance, 12 percent are very satisfied and 28 percent are somewhat satisfied, but 34 percent are somewhat not satisfied and 22 percent are not at all satisfied. "Data protection in Germany would be served if the supervisory authority provided much more support in the practical implementation of data protection requirements," says Susanne Dehmel, member of the Bitkom management board. "This includes practical recommendations as well as concrete information. It must be a joint effort to translate data protection requirements into lived processes and business models."

The companies that have received personal assistance overwhelmingly (65 percent) praise the friendly advice. 46 percent also say that the contact person was competent. 40 percent praised the speed with which the request was handled, and the same number were able to implement innovative, data-driven projects more quickly with the support of regulators. Conversely, however, 44 percent have the impression that the supervisory authority has mainly put obstacles in their way.

Among companies that have not yet asked for help from the regulator, none say no assistance is needed. A quarter (27 percent) did not have the time, and 20 percent did not know that the supervisory authority also provides advice. Often, however, the lack of contact is also due to the poor reputation of supervision. 33 percent think the quality of assistance is not good, 30 percent have heard of bad experiences at other companies. 16 percent are concerned that the supervisor only becomes aware of problems by asking questions, 13 percent fear that the supervisor is not interested in solving problems. And 1 percent are of the opinion that the supervisory authority is not responsible for providing assistance at all, but only for imposing penalties.

International data transfers are indispensable for Germany

Data transfers to non-EU countries continue to be of great importance to the German economy. For example, only 40 percent (2021: 44 percent) say they do not transfer personal data to countries outside the EU. 47 percent transfer such data to external service providers, 22 percent to business partners for joint purposes and 16 percent to other group units or subsidiaries. For those companies that use international data transfers to non-EU countries, the U.S. is the most important destination (59 percent), ahead of the U.K. (32 percent), India (13 percent), Japan (9 percent) and South Korea (5 percent). 4 percent transfer data to China, and the same number to Ukraine. Russia, on the other hand, has become insignificant, with virtually no company (0 percent) transferring personal data to it anymore. Before the war of aggression on Ukraine, the share was still 18 percent in 2021.

The discontinuation of the Privacy Shield has created massive problems for many companies that exchange data with the United States. In the past, 59 percent of them transferred data to the U.S. on the basis of the Privacy Shield. Today, the vast majority use standard contractual clauses (91 percent). A quarter each use consent (27 percent) or so-called Binding Corporate Rules (26 percent).

The reasons for international data transfers are varied. The most frequently cited reason is the use of cloud services (89 percent), followed by the use of communications systems that transfer data there (67 percent) and the use of global service providers, for example for 24/7 support (61 percent). This is followed at a considerable distance by the use of services such as billing or database management (29 percent), own company locations outside the EU (25 percent) or cooperation with partners outside the EU (16 percent). "Because the reasons for data transfers to countries are so diverse, they cannot simply be eliminated by using alternative services, as is often suggested in the debate," says Dehmel.

For the German economy, the consequences of discontinuing international data exchange with countries outside the EU would be severe. 60 percent of companies that currently process data outside the EU would then no longer be able to maintain global security support, 57 percent would no longer be able to offer certain products and services, and 55 percent would be at a competitive disadvantage compared with companies from non-EU countries. Around one in two companies expect that global supply chains will then no longer function (48 percent) and higher costs will be incurred (47 percent). 37 percent would have to change their corporate structure completely, 30 percent fear a lower quality of their products and services, and 20 percent would fall behind in the innovation competition. "Data transfers to non-EU countries have the same significance for companies as the international exchange of goods and global supply chains. Policymakers must quickly create a framework that simultaneously provides legal certainty for companies and is truly practical," said Dehmel.

What companies expect from policymakers when it comes to data protection

Therefore, 4 out of 10 companies (39 percent) expect policymakers to enforce a political solution for international data transfers, and 55 percent demand a hard line toward the U.S. in negotiations for international data transfers. At the top of the agenda for policymakers, however, are measures for greater uniformity and legal certainty in data protection, according to the business community. For example, 94 percent of companies want the many special and specific regulations on data protection and data use to be brought together. 84 percent are in favor of adapting the GDPR, 74 percent are in favor of further European standardization of data protection requirements. 67 percent want the federal laws in Germany on data protection to be harmonized and 51 percent are in favor of standardizing data protection supervision in Germany. 62 percent advocate better access to public sector data for companies. "It's not about less data protection, it's about better data protection," says Dehmel, summarizing the position of companies. "We need rules that companies can implement on a day-to-day basis and, above all, a uniform interpretation of the regulations, in Germany and in Europe. This will enable us to successfully shape the digitization of the German economy and thus secure our global competitiveness, but also our ability to master global challenges such as climate protection or social resilience in times of crisis."

Register now here for free to attend the Privacy Conference 2022 starting tomorrow.