Is your company getting ready for the General Data Protection Regulation? If so, it might be in the minority. That's because, according to research conducted by TrustArc, the answer is likely no.
In their survey, “Privacy and the EU GDPR,” TrustArc, formerly known as TRUSTe, polled 204 privacy professionals from companies across several industries that are subject to the GDPR. The companies broke down into three categories: 500-1000 employees, 1,000-5,000 employees, and more than 5,000 employees.
Of those respondents, 61 percent said they have not started the process of GDPR implementation, while 23 percent said they have begun implementation, 11 percent stated their implementation is “well underway,” and four percent claimed to be fully compliant with the GDPR. Of the 61 percent who have not started implementation, 39 percent are working on their preliminary plan, 18 percent have a plan in place, but have not started implementation, and four percent haven’t started working on a plan at all.
In November, a similar survey of IAPP members done by the IAPP in coordination with TRUSTe found slightly more advanced preparations. At that time, 67 percent of EU companies reported they had begun implementation, while just 40 percent of U.S. firms had moved into implementation of their GDPR compliance plan.
When broken down into company sizes, in all three, an average of 39-40 percent of respondents said they have not started implementation. Companies with 1,000-5,000 employees were most likely to have begun the process, with 30 percent stating their implementation has commenced.
TrustArc CEO Chris Babel said he was alarmed by the amount of companies still in the early phases of GDPR implementation, believing more companies would have been further along in the process at this point. While Babel isn’t sounding the alarm just yet, he warns companies may want to get going on implementation in order to tackle the challenges that will inevitably arise.
“It’s not that this is impossible to achieve, it’s just that if you are in that phase of trying to figure out your plan, there’s going to be a lot of unopened cans of worms that you haven’t gotten to yet,” said Babel. “What I’m more worried about is how many people are still in the phase of learning about requirements, learning about their own business processes, and they are going to have surprises there, because I haven’t seen anyone that hasn’t had a surprise yet.”
When asked why so many companies have yet to start their GDPR implementation plan, Babel points to the large amount of time organizations had to prepare for the legislation. “When you look at something that is two years out, it’s sometimes hard to ring the alarm even if you can say [potential fines represent] four percent of revenue,” said Babel. “Now that we are one year out, it’s much easier to ring that bell.”
On the other end of the spectrum, Babel expressed skepticism at the four percent of companies claiming they are completely compliant with the GDPR.
On the other end of the spectrum, Babel expressed skepticism at the four percent of companies claiming they are completely compliant with the GDPR. In order for companies to claim they are compliant at this stage, Babel believes they either do not conduct any business in Europe, or are not completely knowledgeable of the legislation, as parts of the GDPR have yet to be defined for companies to know if they are in fact complaint.
In terms of TrustArc's GDPR research, another important part focused on GDPR spending. Of the respondents, 83 percent expect their GDPR spending to top six figures, with 42 percent expecting spending to be between $100,000 and $500,000, 23 percent estimating between $500,000 and $1 million, and 17 percent looking at more than $1 million.
Broken down into organization size, 53 percent of companies with 500-1,000 employees expect to spend $100,000 to $500,000, while 23 percent of companies with more than 5,000 employees expect to be spending more than $1 million on GDPR compliance. The largest companies polled expect to spend somewhere in the range of $28 to $48 million.
Babel was not surprised to see the larger companies spending more money on GDPR compliance. Their data will likely be spread out in more countries, and their non-compliance penalties will be far larger than those of smaller organizations.
GDPR compliance will likely be different for each organization as the march to May 25, 2018 comes closer. Babel expects companies to have a tougher time complying with the GDPR if their privacy program was underdeveloped, or nonexistent, before their implementation began. Other factors affecting compliance include the size of the business, staffing and resources available, and awareness within an organization.
As the GDPR deadline nears, Babel expects to see some laggards, but expects the vast majority to be ready by next spring. “If you aren’t in the implementation phase by the end of the year, there needs to be a good reason, like you are not in Europe, you are a very small business that just got started, or have very little European data,” said Babel.
Babel also discussed his company’s rebranding, moving from TRUSTe to TrustArc, with Privacy Tech. “As we thought about who we were,” he explained, “the services we were providing, it was clear that the TRUSTe name was a great name for our certification business, and that we’ve grown beyond it to something much more that wasn’t always known or recognized in the industry. TrustArc we thought was a good way to signal to everyone that we’ve changed, and really we’ve changed in response to the industry changing.”
If you want to comment on this post, you need to login.