2018 will be remembered by many in the corporate world as the year the GDPR kicked in. Every organization covered by the EU’s new regulation had a year’s heads up to ensure conformity, yet few today are 100% compliant. However, new data suggests a few good reasons behind businesses’ extra diligence in their approach to this pressing issue.
Last year, Gartner made a rough estimate that more than half of companies covered by GDPR would not be in full compliance on May 25, 2018, the day it took effect. New data unearthed by TrustArc reveals the more worrisome truth – only 20 percent of companies polled in a study commissioned to Dimensional Research said they were fully compliant with the new regulation.
An equally-divided sample
The survey was fielded from June 4 to June 15 to 600 IT and legal professionals in the United States, United Kingdom and non-UK European Union countries, with 200 respondents for each territory. Company staff ranged from 500 to 5,000. According to TrustArc, each geographic group contained the same mix of professionals with legal, information technology and privacy roles, while certain questions were repeated from an August 2017 survey to better gauge trends in GDPR compliance.
Some highlights of the results:
- 96% of all respondents have started their GDPR compliance programs and 53% are in the implementation phase.
- 20% of respondents have completed their work and consider themselves fully GDPR-compliant.
- Respondents in both highly regulated and unregulated industries had roughly the same compliance status
- US and UK companies made considerable progress in the past 10 months, while the EU leads the UK and US on full compliance status
- 49% of EU respondents, 55% of UK respondents and 56% of US respondents are not yet fully compliant
- By the end of 2018, 76% EU, 76% UK and 68% US companies expect to be in full conformity with the regulation
- GDPR compliance Is a C-level and board of directors concern
- The greatest challenge identified by the respondents was the complexity of the regulation, followed by factors like budgeting, access to technology tools and lack of time
- Highly regulated companies registered a slight advantage over non-regulated companies in terms of access to qualified staff and access to technology and tools to support their GDPR projects
- 68% of respondents already have spent more than six figures on GDPR compliance and 67% expect to spend an additional six figures by the end of 2018; 10% of US respondents had GDPR budgets over $2.5 million versus 2% for the UK and 3% for the EU
- Most companies needed help with understanding and devising a GDPR program, and Legal teams needed more outside help than IT departments
- Many respondents rely on a variety of third-party technology solutions to support their compliance programs, but also on internally-developed systems
- 80% said they will increase their technology spend; 49% will increase their spend “somewhat;” and 31% plan “substantial” increases
Accountability starts with the customer
Notably, most companies said they were motivated more by values and customer expectations, rather than by fear of fines and litigation. From the report:
“Although much has been made in the press about the potentially large fines that could be levied against companies that are not GDPR compliant, respondents were motivated more by a desire to meet customer and partner expectations than by fear of fines or lawsuits. Meeting customer expectations also was the top motivator for companies whether they were highly regulated or not.”
As many of our readers will undoubtedly recall, “accountability” is a key principle at the foundation of the EU’s General Data Protection Regulation. As the UK Information Commissioner’s Office notes, “it makes you responsible for complying with the GDPR and says that you must be able to demonstrate your compliance.”
Apparently, for many companies this impression must first be made on customers and partners, and only later on legislators – a bold but somewhat inescapable approach if disruption is to be kept at a minimum.
Respondents reported being most compliant with updating policies and procedures (27%) and cookie consent management (25%). They were furthest behind with respect to international data transfer mechanisms (16%) and vendor risk management (13%). These results are also, quite visibly, in line with the goal of meeting customer expectations first and foremost.
While maintaining GDPR compliance remains the top priority, the ability to demonstrate compliance is quickly moving up the priority list, respondents said, with some seeking to obtain “GDPR certification” next.