Data protection puts companies under constant pressure

  • Smaller companies in particular are making slow progress implementing GDPR regulation.
  • 9 out of 10 companies already had to stop innovative projects due to data protection requirements.
  • Widespread criticism regarding a lack of support on behalf of regulatory bodies.

Berlin, 15th September 2021 - Elaborate review processes before introducing new digital tools, frequent new decisions of regulatory bodies, and court rulings from all over Europe that have a potential impact on private businesses—data protection requirements are putting companies in Germany under constant pressure. At the same time, support offered by regulatory bodies is rated badly. Half of the companies (50 percent) say that Germany is overdoing it with data protection. Two thirds (66 percent) state that strict data protection regulation and the inconsistent interpretation of data protection regulation in Germany are a hindrance to the digital transformation. These are but some of the results of a representative survey of 502 companies with 20 or more employees in Germany, commissioned by the digital economy association Bitkom. “Data protection plays an important role in a digital economy and society. However, companies are reporting a mounting lack of predictability and reliability,” says Susanne Dehmel, Bitkom’s managing director. “Companies are under permanent stress when it comes to data protection. They are seeking to comply with data protection regulation. However, in order to do so, not only must they monitor court rulings from all over Europe and different interpretations from EU member states but also familiarize themselves with 18 different interpretations from data protection authorities in Germany alone. This is increasingly hard to manage, especially for smaller companies.”

Data protection costs have increased permanently due to the GDPR

4 out of 10 (42 percent) companies state that they have—and will continue to have—increased expenditures since the GDPR came in to effect. An additional third (32 percent) expects these expenditures to increase further. Only 19 percent expect their increased expenditures to gradually decrease, while only 6 percent report no longer having increased expenditures. At the same time, two thirds of the surveyed companies (65 percent), a large majority, is reporting having implemented the GDPR fully or to a large extent, while 3 out of 10 (29 percent) have implemented it to some extent. Only 5 percent are still at the very beginning. Smaller companies in particular are making only slow progress. Among large companies with 500 or more employees, the number of respondents stating that they had only implemented the GDPR to an extent remained virtually the same at 3 percent (2020: 2 percent). Among companies with 100 up to 499 employees, this share decreased from 28 to 12 percent within a year. Among smaller companies with 20 to 99 employees, however, this number remains at the high level of 33 percent (2020: 37 percent).

The main reasons cited by companies that have not yet fully implemented the GDPR include being forced to set different priorities due to the pandemic (82 percent), but almost as many also bemoan that full implementation of the GDPR was hardly possible (77 percent). 61 percent report a lack of human resources to do so. Roughly ever second company bemoans having to make continuous adjustments due to new court rulings as well as recommendations of regulatory bodies (47 percent), and frequent reviews of data transfer into countries outside the EU (45 percent). “Smaller companies in particular require more and better support in implementing the GDPR,” says Dehmel. “Smaller companies often have a lack of data protection expertise. They require concrete and implementable guidelines given out, for example, by regulatory bodies.”

Data protection regulation has already hampered innovation at three out of four companies

But the GDPR does not only create expenditures, it also hampers innovation projects by German businesses. Three quarters of the companies (76 percent) state that innovation projects have failed due to concrete requirements of the GDPR. And 9 out of 10 companies (86 percent) have halted projects due to uncertainties in dealing with the GDPR. This most frequently affected the setting up of data pools (54 percent), followed by process optimization in customer service (37 percent), projects for improving data use, and the use of new technologies like artificial intelligence or big data (37 percent each). At every third company (33 percent), it affected the use of cloud services. “Across all industries, digital technologies are the most important drivers of innovation. We need to better balance data protection and data use,” says Dehmel.

Legal uncertainty is a growing problem when implementing the GDPR

Problems in GDPR implementation have increased significantly in the past years. More than three quarters (78 percent) of companies say that legal uncertainty is now the greatest challenge, compared to only 68 percent two years ago. 74 percent of those surveyed bemoan too many changes or adjustments having to be made, compared to 59 percent in 2019. Inconsistent interpretation across the EU is a hindrance to 52 percent (2019: not surveyed; 2020: 45 percent), while a lack of financial resources is cited by 37 percent, more than twice as many than in 2019 (18 percent). In contrast, the challenges that companies have a direct influence are not becoming more important: Technical difficulties in implementation are a hindrance to an unchanged 34 percent of those surveyed, a lack of qualified staff is only experienced by 33 percent (2019: 37 percent), and only 8 percent see a lack of support within their company (2019: 13 percent).

Simultaneously, discontent with regulatory bodies is growing. Two thirds (66 percent) criticize a lack of implementation aids on behalf of regulatory bodies, compared to only 53 percent two years ago. “If problems like legal uncertainty or a lack of implementation aids on behalf of the supervisory bodies continue to grow, then something is obviously going quite wrong,” warns Dehmel. “Normally, new legislation might initially create problems, which then become less due to experience, decisions as well as support systems.”

Regulatory bodies do not provide enough useful support

Even regarding concrete questions, only a minority receives support from regulatory bodies. A quarter (24 percent) reports requesting help with implementing data protection regulation but not receiving an answer. A similar amount (28 percent) did receive an answer but an unhelpful one. Only 3 out of 10 (29 percent) report that they received help following their request: 64 percent of them received help in the form of guidelines, 32 percent received individual consultation, and 27 percent received consultation as part of a group. Of the companies that received help, 12 percent state that they were very satisfied with it, 19 percent were more or less satisfied. However, 41 percent were less satisfied and 25 percent were not satisfied at all. “If data protection is to be promoted in companies in the long term, it is not enough to process complaints and impose fines whenever violations are detected,” says Dehmel. “On the contrary, an active culture of data protection would benefit from preventive measures on behalf of regulatory bodies, seeking to support companies in practical matters of data protection implementation by providing them with specific information and real-world recommendations.”

The main reason for companies not to ask for help was not that they didn’t need it. Only 1 percent reported not requiring support. However, every third company (34 percent) reported that it refrained from seeking support because other companies had reported about their bad experiences. Every fourth is not aware that regulatory bodies offer help (26 percent), or assumes that the quality of support is lacking (25 percent). Roughly every fifth company (18 percent) is afraid a regulatory body will become aware of its problems if contacted. And 16 percent state that regulatory bodies were not interested in problem-solving in the first place.

Businesses depend on data transfer to non-EU countries

The most important basis for EU-US data exchange was removed with the removal of the Privacy Shield by the so-called Schrems II ruling of the ECJ. However, international data transfers to non-EU countries play a major role in the German economy. Every second company (48 percent) exchanges data with external service providers from non-EU countries, every fourth (25 percent) does so with business partners, and 12 percent with other company departments. In doing so, 52 percent transfer data to the US, 35 percent to the United Kingdom, 18 percent to Russia, and 13 percent to India. Other frequent mentions include China (8 percent), Japan (7 percent), and South Korea (4 percent).

The reasons for international data transfer to non-EU countries are manifold. 9 out of 10 countries (85 percent) use cloud services that store data outside the EU, two thirds (68 percent) work with international service providers, for example, to offer 24/7 security support. Half of those surveyed (52 percent) use communication systems that store data outside the EU, and every fifth company (22 percent) has locations outside the EU. And 13 percent work together with partners in non-EU countries, for example, in research and development.

Should it no longer be possible to process personal data outside the EU, this would have severe effects on German companies and the economy as a whole. 62 percent state that they would no longer be able to provide certain products and services; 57 percent fear competitive disadvantages compared to companies from non-EU countries. 54 percent of each of those groups expect rising costs resulting from being unable to maintain global security support services. 4 out of 10 companies expect a disruption of their global supply chains (41 percent) and quality losses of their own products and services (39 percent), while 31 percent would need to change their corporate structure. 12 percent of the companies surveyed would fall behind in the global competition for innovation, and 3 percent reported that they would have to stop their business operations entirely. None of the companies surveyed expect the end to transferring personal data to have no impact on its business operations. “Data transfer to non-EU countries is as important to the German economy as international supply chains. This is not simply a nice-to-have but the very core of an increasingly digital economy in the 21st century,” says Dehmel. “It is imperative that policy-makers create a framework that produces legal certainty for companies and that can actually be implemented in practice.”

The next federal government must put data protection on the agenda

Calls for an adjustment of the GDPR tops the list of data protection-related demands that companies have for the next federal government (89 percent). Roughly two thirds want increased standardization of data protection regulation at the European level (68 percent) and at the level of federal legislation in Germany. 6 out of 10 make the case for abolishing state-level data protection authorities (60 percent), and for improving access to publicly-produced data (57 percent). Roughly half of those surveyed expect a tough stance in negotiations with the US over international data transfer (46 percent), and one third (32 percent) sees pushing for a political solution for international data transfers as a pressing issue.

Bitkom hosts Privacy Conference

Trends in the fields of data protection, international data transfer, and cooperation for the data economy are also subjects at Bitkom’s 2021 Privacy Conference. Between 27–28 September 2021, data protection experts from various data protection authorities as well as global companies and start-ups will exchange their ideas and experiences on current developments in regulation and enforcement, best practices, and data-driven innovation. Free-of-charge registration is available at:

Methodology note: The data are based on a survey carried out by Bitkom Research and commissioned by Bitkom, Germany’s digital economy association. It involved interviewing 502 German companies with 20 or more employees by telephone. The survey is representative of the economy as a whole.