Many Companies Dissatisfied with GDPR

Information Economy

ZEW Survey on the Information Economy in Germany

Companies in the German information industry are frequently dissatisfied with the EU General Data Protection Regulation (GDPR), which came into force in May 2018.

Companies in the German information economy are frequently dissatisfied with the EU General Data Protection Regulation (GDPR), which came into force in May 2018. In half of the companies, the negative aspects of the new regulations on personal data protection predominate after the two-year period, while the positive aspects of the GDPR outweigh the negative ones for just under five per cent of companies. The introduction of the GDPR quite frequently complicated companies’ regular business processes, leading to a high workload regarding the implementation of new requirements. This is the result of a recent representative survey of about 600 companies in the information economy, conducted by ZEW Mannheim in March 2020. 

As far as sub-sectors of the information economy are concerned, the GDPR got the most favourable rating from companies in the information and communication technologies (ICT) sector. Around 62 per cent of ICT hardware manufacturers and 58 per cent of ICT service providers stated that positive and negative aspects were balanced, or that even the positive aspects predominated. Among the media and knowledge-intensive service providers, though, only less than half of the companies shared this assessment.

“Business processes have become more complicated on account of the introduction of the GDPR in about 60 per cent of the companies,” says Dr. Daniel Erdsiek, ZEW expert for digital economy. When implementing the new rules, it was sometimes necessary to take comprehensive changes in information obligations as well as users’ rights into account, which included the implementation of new concepts such as privacy by design and privacy by default. These mandatory adjustments led to a high workload in more than two-thirds of the companies involved in the study.

As a result of the introduction of the GDPR, more than half of the companies also reported additional costs for employee training and increased demand for external consultation, with 17 per cent of the companies in the information economy even viewing the GDPR as a potential threat to their business activities. In the ICT sector, this figure was only eight per cent. Possible reasons for the negative impact on their business were the slowdown in business innovation (24 per cent) and the difficulty or even prevention of using new technologies such as artificial intelligence (13 per cent).

“Already in December 2017, shortly before the GDPR came into force, we asked companies in the information industry about the expected effects of the new regulations. A comparison with the current results shows that each of the negative consequences of the GDPR in question occurred more frequently than expected in December 2017,” Erdsiek explains.

It was not all negative, though; companies also reported positive effects in March 2020. For starters, 36 per cent of companies stated that their processes had been reviewed and optimised. And the procedures for processing data were standardized in about 29 per cent of the companies throughout the course of the GDPR. However, only one in five companies agreed with the statement that the GDPR has led to increased legal certainty, which is ten per cent less than expected two years ago.

Despite the far-reaching new regulations and the increased awareness of the importance of data protection via the GDPR, only roughly twelve per cent of the companies expect an increase in customer confidence. Moreover, only a very small share of them are convinced that the GDPR has led to a competitive advantage for EU companies on international markets (5 per cent), or that it had a positive effect on their business development (3 per cent).