Recently, we endeavored to conduct a new major survey, sponsored by our internationally focused law firm McDermott Will & Emery and carried out by the Ponemon Institute (hat tip to the IAPP for helping with some question development). Quite simply, it has revealed that many companies are behind schedule to achieve General Data Protection Regulation compliance by the looming May deadline. The survey results show that 40 percent of companies only expect to achieve compliance with the regulation after May 25, when the Regulation comes into effect.
Our McDermott-Ponemon study surveyed companies across the U.S. and Europe on their understanding of the impact of GDPR and their readiness for it. Key findings of this important benchmark survey include:
- 52 pecent of the companies responded that they expect to be compliant on or before the May 25 deadline, and an additional 40 percent expect to become compliant after the deadline (note that 8 percent of companies were not sure when they will achieve compliance).
- 60 percent of respondents say GDPR will “significantly change” their organizations’ workflows regarding the collection, use and protection of personal information, with 71 percent acknowledging that lack of compliance could have a detrimental impact on their companies’ ability to conduct business globally.
- Preparing for data breach notification, a cornerstone of the regulation, is viewed as the most difficult obligation according to 83 percent of respondents – with 68 percent saying that inability to comply with the notification requirement poses the greatest risk to their companies.
For Mark, what was most striking is that there is a lot more work to be done for GDPR readiness, as this study shows. These findings reflect the demanding nature of GDPR and the anxiety around complying with it. A key issue here is prioritizing what can be done in the remaining time before that May deadline and acting on those high risk areas.
From the London office, Ashley noted that, as he's repeatedly seen, compliance is more than just updating your privacy policy, and so it is heartening to see so much wholesale change to workflows and an appreciation that business-as-usual processing will change after May 25. However, it is particularly interesting to see which sectors are making the most effort to get into compliance, as it is not just consumer- or retail-facing companies. With markedly disparate levels of compliance expected by May 25, it will be interesting to see what the regulators response will be.
The survey shows that companies are investing heavily in attempting to achieve GDPR compliance.
The survey shows that companies are investing heavily in attempting to achieve GDPR compliance. The average annual budget for compliance is $13 million according to the findings – a figure that one in three companies expects to review annually. More than one in five (22 percent) believe that a budget allocation will continue indefinitely in their organization due to a need to continue with investment in technologies, governance practices and staffing. Respondents believe that the majority of the budget will be spent on managed services (28 percent of spend), followed by personnel (19 percent of spend) and technology (17 percent of spend). The annual budget for GDPR compliance varies by head count but, of the companies surveyed, even those with 1,000-5000 headcount were investing on average just over $8 million for GDPR.
Examining the data, Larry noted the risks of failing to comply with GDPR have been most often reflected by organizations’ fear of the potential size of the financial penalties that non-compliance could bring about. The headline figures – fines of up to €20m or 4 percent of global turnover, whichever is the greater amount – represent a potentially massive fine for companies.
Respondents also say that compared to other regulations, compliance with GDPR is either more or equally difficult to achieve. In fact, 64 percent of respondents say a barrier to GDPR compliance is the need to make comprehensive changes in business practices.
Industry sector and company size are important factors in GDPR readiness. Financial service organizations report the highest readiness level, followed by companies in technology and software and energy and utilities. In contrast, companies in retail, industrial manufacturing and services report the lowest readiness level.
Smaller companies and very large companies see themselves as less likely to be in compliance with GDPR by the effective date than do mid-size companies. Smaller-sized organizations report the lowest readiness level, while companies with 5,000 to 25,000 employees report the highest readiness level. Large companies with more than 25,000 employees have a lower level of readiness than middle-sized organizations.
The full survey results can be accessed and downloaded here. Dive in!