We recently conducted an EU General Data Protection Regulation survey, sponsored by international law firm McDermott Will & Emery and carried out by the Ponemon Institute, which revealed that businesses across the globe continue to face challenges understanding and responding to EU data breaches, despite making investments in new personnel and changing business practices. This is a follow-up study to last year's research, "The Race to GDPR," a study we discussed here on Privacy Perspectives in April 2018. 

The McDermott-Ponemon study surveyed companies in the U.S. and European Union, and for the first time in China and Japan, as they assessed progress and challenges after one year under the GDPR requirements.

Here are some of our key findings: 

  • The GDPR survey found that nearly 50% of respondents experienced at least one personal data breach that was required to be reported under the GDPR.
  • One-quarter of respondents on average in all countries say their readiness and confidence to respond to a GDPR data breach is very low.
  • Only 18% of organizations were highly confident in their ability to communicate a reportable data breach to the relevant regulator(s) within 72 hours of awareness, demonstrating a potential gap in their ability to comply with GDPR requirements.
  • Approximately one-third of companies obtained cyber risk insurance; 43% of those respondents said their insurance policy covers GDPR fines or penalties; 10% were unsure of what their organization’s cyber policy covered.
  • Nearly half (49%) of Chinese respondents and more than one-third (36%) of Japanese respondents subject to GDPR regulations are still not familiar with them.

What do these results mean?

The reporting requirement is one of the more difficult aspects of the regulatory scheme, and the issues found by this survey can continue to challenge a range of businesses as companies work on coming to terms with their vulnerabilities.

Although companies report making significant investments in compliance, there are still risks around their ability to prevent — and consequently respond to — data breaches.

Almost half of the survey’s respondents experienced at least one personal data breach that was required to be reported under the GDPR. Less than that — 39% of U.S. companies and 45% of European companies — reported a personal data breach to a GDPR regulator.

Looking beyond the U.S. and EU, the survey results show that Chinese and Japanese respondents lag in their GDPR efforts. Only 29% of the Chinese respondents and 32% of the Japanese respondents stated that they were fully compliant with the GDPR, more than 10% lower than Western companies. Although Japanese respondents rely heavily on external cybersecurity services to investigate data breaches, significantly fewer Chinese respondents did so, and only 41% of these are conducted through litigation or under the protection of lawyer-client privilege, compared to 65% in the U.S. and 56% in the EU.

The big picture

These survey results bolster what was revealed in the GDPR survey we conducted in 2018. Last year’s survey showed that GDPR compliance was going to be an ongoing process, particularly with information so frequently criss-crossing national borders and an anticipated uptick in varying local regulations — whether that’s China’s Cybersecurity Law or the California Consumer Privacy Act.

This year’s survey shows that countries and regions are now at different points in their compliance awareness and execution journeys. With enforcement activity just beginning, it is critical for companies to work closely with external cybersecurity companies and legal counsel and understand that these issues will continue well into the foreseeable future.

Companies would benefit from conducting risk assessments and engaging forensic professionals who can identify vulnerabilities and recommend improved processes and remediation. If done under litigation or attorney privilege, organizations can further safeguard themselves.

Additional survey results

The survey also found that a surprisingly high percentage of respondents (85%) reported appointing a GDPR data protection officer and 54% of non-EU respondents appointed an EU representative. Most of these appointments were internal rather than an external individual or company. At play are complex GDPR provisions that mandate this position in some, but not all, situations.

More than half of the U.S. company respondents apply GDPR data subject rights to both U.S. and EU employees. Fifty-one percent of U.S. companies surveyed say they give their U.S. and EU employees the same rights under the GDPR, while only 43% of EU companies apply GDPR data rights to both U.S. and EU employees.