One in two companies refrains from innovations for privacy reasons

  • 20 percent have implemented the General Data Protection Regulation including test processes
  • Tools for remote work limited due to data protection requirements
  • Tailored contact tracing apps not relevant for companies

Berlin, 29th of September 2020 - In the pandemic year 2020, data protection requirements make it difficult for many companies to maintain their operations. For example, many companies have limited or no access to digital tools for home office collaboration for data protection reasons. In addition, more than two years after the General Data Protection Regulation (GDPR) came into effect, the vast majority are still struggling to implement its many rules. These numbers are the results of a representative survey of more than 500 companies in Germany, which the digital association Bitkom presented at its Privacy Conference. According to the survey, only every fifth company (20 percent) has fully implemented the GDPR and also established test processes for further development. More than a third (37 percent) have largely implemented the rules, and a similar number (35 percent) have done so partially. And 6 percent have only just started implementing the GDPR. "The still low implementation figures are sobering," says Susanne Dehmel, member of the Bitkom management. "The GDPR cannot be worked off like a product requirement specification. On the contrary: due to unclear rules and additional requirements of the data protection authorities, the GDPR has become a bottomless pit". The companies surveyed confirmed this almost unanimously. 89 percent think that the GDPR is practically impossible to implement in full.

Additional expenditure due to the GDPR continues to rise

The greatest challenge for three quarters of the companies (74 percent) is the continuing legal uncertainty caused by the rules of the GDPR. Two out of three (68 percent) complain about too many changes or adjustments in interpretation. Six out of ten companies (59 percent) see the lack of implementation assistance from supervisory authorities as one of the biggest problems, while almost half (45 percent) cite the inconsistent interpretation of the rules within the EU as an issue. For a quarter of all companies (26 percent), a lack of qualified personnel is one of the highest hurdles. A vast majority is also affected by this when it comes to their own resources. More than a third of the companies (36 percent) state that they have had higher expenditures since the introduction of the GDPR and will continue to do so in the future. For another 35 percent it is foreseeable that the already increased expenses will continue to rise.

Innovative projects fail due to data protection obligations

In addition, data protection rules have led to many companies having been less able to drive technological innovation, or not at all. In more than every second company (56 percent), new, innovative projects have failed as a result of the GDPR - either because of direct specifications or because of ambiguities in the interpretation of the GDPR. Four out of ten (41 percent) state that they were unable to set up data pools to share data with business partners. In three out of ten (31 percent), the use of new technologies such as Big Data or artificial intelligence failed as a result, and a quarter (24 percent) confirm this for the digitization of business processes. One in five of the companies affected (20 percent) did not use new data analyses because of the GDPR. "Personal data must be protected, that is beyond dispute. But data protection must not become a brake on innovation," says Dehmel. "If we are serious about Europe becoming a top spot for digitization and innovation, data protection rules must promote and support data-driven business models instead of hindering them. Almost all companies (92 percent) are calling for improvements of the GDPR. According to those surveyed, for example, the information obligations should be made more practical (91 percent), the rules should be made more comprehensible (85 percent) and the advice and assistance provided by data protection supervisory authorities in implementing them should be improved (83 percent). Only 3 percent believe that the GDPR should be even stricter.

With regard to their own operations, the majority of those surveyed take a critical view of the GDPR. Seven out of ten (71 percent) say that it makes their business processes more complicated. And for 12 percent the GDPR even poses a threat to their own business. Only one in five companies (20 percent), on the other hand, benefits from it. Asked about their general view of the GDPR, there are also positive voices. For example, seven out of ten companies (69 percent) are convinced that the GDPR sets global standards for the handling of personal data. Two thirds (66 percent) believe that the GDPR will lead to more uniform competitive conditions in the EU and six out of ten companies (62 percent) believe that the GDPR is an overall competitive advantage for European companies.

Data protection requirements as an additional burden in the crisis

During the pandemic, many companies also struggle to maintain their operations in compliance with data protection regulations. Many tools that facilitate mobile work, for example, were used only to a limited extent or not at all for data protection reasons. Almost one in four companies (23 percent) did not use collaboration tools for data protection reasons. Another 17 percent used these applications only to a limited extent. Cloud services such as online storage were not fully used by a quarter (26 percent), and 2 percent did not use them at all for data protection reasons. One in ten companies (10 percent) restricted the use of video conferencing systems, 3 percent were unable to use suitable video conferencing systems due to data protection requirements. And 4 percent stated that they had to limit the use of messenger services within the company in order to comply with data protection regulations. "Many companies are faced with a dilemma: On the one hand, they depend on communication and collaboration tools that enable remote collaboration and replace business trips. On the other hand, German supervisory authorities criticize precisely those tools as not being compliant to data protection regulations," says Dehmel.

Remote work guidelines: yes, own tracing apps: no

More than four out of ten companies (42 percent) have drawn up guidelines for remote work, 20 percent of which were already in place before the outbreak of the pandemic. Another 37 percent are planning or discussing such guidelines, while for 6 percent this is not an issue. And 13 percent state that their company does not allow remote work in principle. None of the respondents use their company's own contact tracking apps for Covid19 infections. However, every fifth company with 500 employees or more (22 percent) is planning or discussing its own tracing app independently of the official Corona Tracing App of the German government. Overall, almost two thirds (62 percent) believe that more options for data use would help in the fight against the pandemic. However, one in ten (10 percent) companies says that they were unable to implement certain corona measures due to data protection regulations. Four out of ten of those surveyed (40 percent) also say that Germany is overdoing it when it comes to data protection.

Note on methodology: The information is based on a survey conducted by Bitkom Research on behalf of Bitkom. In this survey, 504 persons responsible for data protection (company data protection officers, managing directors, IT managers) of companies in all industries with 20 or more employees in Germany were interviewed by telephone. The survey is representative.