The results of a TrustArc survey earlier this year were far from encouraging: 61 percent of respondents, privacy professionals at 204 U.S. companies, had not started the process of GDPR implementation. That was in May, a year out from the GDPR coming into force.
Fast forward to the end of the summer, and TrustArc conducted another survey, this time polling 203 U.K. businesses on their readiness for the GDPR. Despite three months having passed, the survey found U.K. businesses are actually farther behind than their U.S. counterparts were. In its latest report, “Privacy and the EU GDPR,” TrustArc found 64 percent of U.K. businesses have not started GDPR implementation.
TrustArc CEO Chris Babel was surprised to see the U.K. businesses trailing behind U.S. organizations, especially given the timeline of when the two surveys took place.
“[The U.S.] research was fielded in May and reported in June and this was fielded in August [and reported] in September," said Babel. “I guess I was expecting we’d be further along, particularly given that you are talking to European businesses, who if anything, would have a deeper, more innate understanding of things.”
So why are U.K. businesses farther behind than the U.S.?
Babel’s first guess was a lingering uncertainty around Brexit. When the survey was conducted, the U.K.’s stance on the GDPR had not been clarified, which could have affected some of the numbers in the survey. Even with the uncertainty, 74 percent of respondents said they would not reduce their GDPR budgets because of Brexit.
Since then, the U.K. has announced it will implement the GDPR into domestic law. Babel believes if the survey were to be conducted today, the survey results would likely change course.
In addition, Babel’s got a second theory as to why the U.K. is farther behind: the country’s proximity to where the rules originated. It simply has more of a familiarity with European laws and therefore the GDPR. Thus, less panic.
“There may then be a comfort in the knowledge and understanding of those [laws]," Babel said, "and therefore a delay in the start of [implementing] because they feel like they have their house in better order at the starting point, and need less time to get to the conclusion.”
He added, however, nothing in the data says that. It's a guess.
Or, perhaps the lack of GDPR preparation comes from a lack of understanding for what the rules entail.
Babel said TrustArc recently launched a 25-city roadshow across both the U.S. and the EU, spanning 45 days. During those events, Babel said, many privacy professionals asked very basic questions regarding the impending legislation.
“It’s interesting to participate in those because, while some of the attendees that will come clearly are very experienced and understand these things and are at companies that have been thinking about this for years, you are running into the people that ask questions like, ‘This is four percent of global revenue?’ It is surprising to me still in the general broad-based market how unprepared some are," said Babel.
The U.S. and U.K. respondents did share similar views towards broader privacy topics. Of the privacy professionals polled, 96 percent of U.S. respondents said the importance of privacy is growing, and 94 percent of U.K. pros expressed similar sentiments. Both sides said privacy management is becoming more complex (98 percent for the U.S., 93 percent in the U.K.).
The survey did find U.S. companies are investing more in privacy management and GDPR readiness than U.K. organizations. When asked about the money they expect to spend to comply with the GDPR, 83 percent of U.S. companies expect to spend at least $100,000, while only 69 percent of U.K. businesses expect to spend the same amount.
When the results are further narrowed, 23 percent of U.S. companies with more than 5,000 employees expect to spend more than $1 million, compared to 19 percent of U.K. businesses in the same position.
Babel attributes the spending partially because the U.S. has a larger quantity of big businesses, allowing them to spend more than the average U.K. organization.
The spending will come soon, as May 2018 grows closer and closer. Given that both surveys found more than 60 percent of businesses had not started their GDPR implementation processes, the following question might be popping into privacy professionals' minds: Is it time to panic?
“I think increasingly alarmed is the way to describe it,” said Babel. “I would start to say people have to, if they are in this bucket where they barely have gotten started, that they have their worked cut out for them. It’s getting harder every day to do that.”
The good news, Babel said, is he's seen businesses work hard to ensure their GDPR preparation is on track. Perhaps if and when TrustArc conducts another survey in the near future, more businesses will be closer to where they need to be. A look at the calendar indicates they better be.
If you want to comment on this post, you need to login.