Getting to GDPR Compliance: Risk Evaluation and Strategies for Mitigation

Published: November 2017Click To View (PDF)

The European Union’s General Data Protection Regulation presents compliance challenges for organizations across industries and geographies. American firms struggle with the law’s complexity. Even among European firms, which presumably have already built data protection programs to comply with the EU Data Protection Directive, the GDPR requires new investments in privacy resources.

The risks of not complying, of course, include fines up to 4 percent of global turnover. But not all non-compliance is created equal and – given the law’s implementation deadline of May 25, 2018 – privacy professionals must prioritize.

To gauge the risks of non-compliance with various aspects of the GDPR, the IAPP surveyed nearly 500 privacy pros, most of whom work for organizations headquartered in either the United States (44 percent) or the European Union (including the United Kingdom, 44 percent). We asked them to rate the risk of noncompliance with various requirements of the GDPR and what actions they are taking to mitigate each perceived GDPR risk.

What was the number one action item to mitigate GDPR compliance risk? Investment in training. Training employees on data protection and privacy tops the list for 10 of 11 GDPR compliance risks. The only risk training doesn’t mitigate is appointing a data protection officer, which obviously requires taking other steps.

The second most likely response to GDPR risks is investments in technology. These results conform precisely to the 2017 IAPP-EY Privacy Governance Report, which similarly found that investments in training and technology are the top two GDPR preparedness activities.

Regarding the risks themselves, respondents overall rate failing to prepare for data breach notification as the highest GDPR compliance risk, with failure to conduct data inventory and mapping coming in a close second. Not obtaining data subject consent and improperly handling international data transfers tie for third place overall. Among U.S. respondents, however, not complying with requirements around international data transfers ranks as the top GDPR risk – and earns the highest overall risk score.

Although they are struggling with GDPR’s complexity, American respondents are still bullish on their ability to be ready by the May 28 deadline. Indeed, 84 percent of U.S. respondents expect to be GDPR-compliant by May 2, 2018.

EU privacy professionals are either less concerned or more honest – or perhaps lacking in resources – because more than one in four say they will not be ready on time. Their biggest barrier, they say, is lack of adequate budget.