Updated: Aug 25
As we slowly enter 2020, during the year of 2019, numerous studies have been conducted with the objective to see just how far companies fare in regards to their GDPR compliance efforts. As fines and penalties are still being issued from various data protection regulators in their respective countries, it may be suggested that companies, ranging from multinational corporations to SMEs, are still struggling to be fully compliant with the GDPR.
In this blogpost, we take a look at several key studies done by various types of organisations, the numbers in their findings, and how it all shapes the race for compliance.
GDPR compliance looked at from a glance
The aim was to look at the different struggles companies faced on their compliance efforts.
The research found that a significant number of companies continue to struggle keeping up with the GDPR. In fact, the report found that one in three companies in Europe were still not GDPR compliant, over 1 year after its enforcement. The report also revealed that only 57% of businesses were confident that their business had followed the obligations set out by the GDPR, while 13% were still very unsure about their efforts. The results also showed that medium-sized businesses and enterprises (SMEs) were “struggling to understand and implement” GDPR compliance efforts. Further key takeaways of the report are:
• 38% of businesses did not necessarily understand when consent is needed to hold and process data • 35% were not sure how they should monitor their employees’ use of personal data • 34% did not understand what measures are needed to ensure third party supplier contracts are GDPR compliant • 21% admitted that they still have not implemented a cyber security strategy
However, the study also indicated a positive effect: 73% of businesses stated that with the GDPR’s implementation, they have been encouraged to further improve the way they handle customer data.
As the data above suggests what the GDPR compliance efforts for businesses in Europe
look like as of 2019, the compliance efforts of companies operating outside the EU, but cooperating in any way with anyone or any company located in the EU, also must adhere to the data privacy regulation. Moreover, the RSM report had also focused on SMEs within Europe. So, what if take a look from a further perspective, and see what research says on how the race for compliance looks like outside the EU, and include larger companies who may also face similar struggles.
Taking a closer look into the numbers and details behind compliance efforts
In September of 2019, the Capgemini Research Institute published a study that included the results of a research done on over 1,000 privacy, compliance, and data protection personnel across 8 business sectors: insurance, banking, consumer goods, utilities, telecom, public services, healthcare and retail. This study was conducted in a similar scale as the companies involved in the research were headquartered in France, Germany, Italy, the Netherlands, Norway, Spain, Sweden, the UK, but this time had also included the US and India.
The report revealed that despite a significant number of businesses having been confident about their GDPR compliance efforts by the time the GDPR had come into force back in May 2018, 75% of the respondents admitted that they were still struggling with their compliance efforts.
It was found that only 28% of companies had successfully achieved compliance, which was put in contrast to a “GDPR readiness survey” that was conducted back in 2018, where 78% of the businesses expected to be fully prepared by the time the GDPR was enforced.
The results of the survey indicated that compliance was highest with companies from the US with 35%, followed by the UK & Germany (who were both on 33%). The lowest percentage of compliance ratings were from Spain & Italy (who were both on 21%) and Sweden (18%).
Furthermore, the report revealed common obstacles that caused problems for a company’s compliance efforts:
• 38% stated that they had challenges with aligning legacy IT systems to that of the GDPR requirements • 36% struggled with the complexity of obligations and requirements that had been set out • 33% indicated that there were costs related issues that hindered further compliance efforts Volumes of data subject requests had also been revealed as a struggle for the companies. It was found that a significant number of companies in different countries had received 1,000+ data subject requests. Namely:
• The US (50%) • France (46%) • the Netherlands (45%) • Italy (40%)
On a positive note, the results showed that 81% of businesses stated that their GDPR efforts has given a positive impact on reputation and brand image as well.
The two studies discussed above give an initial impression on the kinds of struggles companies big or small face while on the race to compliance. As the GDPR continues to demand appropriate data privacy and data protection measures being taken by companies, the next study sheds light on some of the common measures that had been taken. Not only does the study highlight these measures, but it is also conducted on a larger group.
In it to win it: Compliance efforts analysed from an even broader scope
Also published in September of 2019, a research done by McDermott, Will & Emery along with Ponemon Institute had been conducted that involved over 1,200 companies in a much broader scope. The research not only looked into companies in Europe and the US, but also included Asia, namely China and Japan as well. The study reflected upon difficulties faced by the businesses and was based upon reactions from individuals who work in a variety of their respectful company’s departments which include: IT, cybersecurity, compliance, data protection, privacy, and legal. The results showed that only 18% of respondents were confident in their ability to communicate a data breach to appropriate authorities within 72 hours of initial awareness, and 50% admitted that they had encountered at least one data breach.
Another significant finding from the study is that US based companies experienced and reported more GDPR related cyberattacks (45%) compared to:
• Europe (34%) • China (31%) • Japan (38%)
Also a notable point would be that Japan based companies used external cybersecurity services to investigate their GDPR related cybersecurity issues with 47% compared with:
• Europe (40%) • the US (44%) • China (25%)
Also finishing on a positive note, the study found that 90% of the respondents say their company has appointed a Data Protection Officer (DPO) and 54% stated that their company has even appointed an EU representative. These results were especially highlighted as there is a notably strict criteria for appointing DPOs and EU representatives as well.
With a clear understanding on some of the compliance efforts certain companies have put in place, it can be suggested that the GDPR continues to keep companies in and outside the EU proactive when it comes to data privacy and data protection.
What will the race to compliance look like?
As we enter 2020, several resources such as the studies and the ongoing GDPR fines being issued, suggests that data privacy will be the most important issue in the next decade.
Will more companies fall behind in the race and ultimately, fall under the harsh penalties from the GDPR? Or will they continue to take the appropriate measures in ensuring GDPR compliance, and keep up in the race?
This article does not constitute legal advice.
The opinions expressed in the column above represent the author’s own.