One in three companies has not implemented data protection regulation

Almost seven years after the General Data Protection Regulation came into force, implementation in Germany is still lacking. Companies criticize rules that are far removed from practice.
Reading time: 2 Minutes
Auch im siebten Jahr seit dem Inkrafttreten der Datenschutzauflagen haben nur zwei Drittel der Firmen in der Bundesrepublik die Regeln vollständig umgesetzt (Symbolfoto).
Even in the seventh year since data protection requirements came into force, only two-thirds of companies in the Federal Republic have fully implemented the rules. © dpa/Patrick Pleul (symbol photo)

Berlin. Many companies in Germany continue to struggle with the European General Data Protection Regulation (GDPR). Even seven years since data protection requirements came into force, only two-thirds of companies in the Federal Republic have implemented the rules "fully" (20 percent) or "for the most part" (45 percent). This is the result of a survey of more than 502 companies in Germany with 20 employees or more, conducted by the digital industry association Bitkom was commissioned.

The survey was conducted by Bitkom Research in July and August and is representative. Members of management or the Board of Management, data privacy officers, the head of the legal department, in-house counsel or compliance officers were surveyed. The statistical margin of error is plus/minus 5 percent.

In the survey, managers complained that the GDPR made business processes more complicated (78 percent) and that the regulation was too impractical (77 percent). On the other hand, 61 percent each agreed with two DSGVO-friendly statements: "The DSGVO has improved data security in our company" and "The DSGVO sets standards worldwide". Nevertheless, the majority of companies have political reservations: 59 percent say the data protection authorities are using the regulation to impose their view of the world. And 56 percent think the GDPR is delaying the development of new products and services.

The survey also shows that companies are heavily dependent on international data transfers to countries outside the EU. Only 36 percent of companies manage without such data exchange. The most important target country remains the USA. 64 percent of the companies that transfer data internationally have data processed in the USA. This is followed by Great Britain (39 percent), India (17) and China (9). As in the previous year, no company transfers data to Russia.

Data transfers to countries outside the EU are on shaky legal ground because the European Court of Justice declared agreements for the transfer of data from Europe across the Atlantic invalid in two decisions, namely "Safe Harbor" (2015) and "Privacy Shield" (2020). The ECJ based its decisions on the fact that the level of data protection in the U.S. did not meet EU standards. This summer, a new data protection agreement between the EU and the USA came into force.

The U.S. now ensures an adequate level of protection for personal data transferred from the EU to companies in America, the EU Commission explained. Austrian lawyer Max Schrems, who had sued the ECJ in the two data protection cases, also announced a legal review for the new agreement. The agreement is largely a copy of the failed "Privacy Shield," he said.

This might also interest you: