At the end of May the European General Data Protection Regulation (GDPR) came into force and caused a great deal of commotion and uncertainty among companies. But what has come of all this excitement? The industry association Bitkom draws a mixed conclusion after three months.
The General Data Protection Regulation affects everyone who processes personal data for business purposes. According to a survey by the Digital Association, three out of four companies in Germany missed the May 25, 2018, deadline. And although the regulation has been in force for a good quarter of a year, not all companies are finished with its implementation, according to Susanne Dehmel, Member of the Bitkom Management Board:
“The GDPR has cost companies a lot of time and money and continues to mean a lot of work.”
The main difficulty is that many of the requirements are not clear about what they exactly mean, says Dehmel:
"Not even data protection authorities can agree on a uniform interpretation of certain regulations. How can companies be sure they're doing the right thing?"
GDPR causes uncertainty in contract conclusions
From the Bitkom representative's perspective, smaller companies are disproportionately affected by the GDPR. The regulation makes no distinction between a startup, a non-profit organization, and a large international corporation. Dehmel says:
"Everyone is being tarred with the same brush. Improvements need to be made here and in a whole host of other areas."
Specifically, according to Bitkom, contract conclusions in the service sector are currently particularly delayed because the contracting parties often do not agree on whether a special data processing agreement is necessary.
“More data protection awareness among organizations”
However, Bitkom representative Dehmel sees the GDPR as a success:
“The General Data Protection Regulation has certainly contributed to greater data protection awareness among organizations in Germany.”
Nevertheless, the Bitkom representative does not see the General Data Protection Regulation as providing better and future-oriented data protection. Legal uncertainties surrounding the use of big data and AI applications have not been eliminated by the regulation either. She calls for modernizing data protection law and striking a balance between data protection and other legitimate interests of society and business.
