A major survey by an international law firm has revealed that many companies are behind schedule to achieve Global Data Protection Regulation (GDPR) compliance by the looming May deadline.
The survey results show that 40 per cent of companies only expect to achieve compliance with the regulation after May 25th when the Regulation comes into effect.
The McDermott-Ponemon study surveyed companies across the US and Europe on their understanding of the impact of GDPR and their readiness for it.
Key findings of this important benchmark survey also show that 52 per cent of the companies responded that they expect to be compliant on or before the May 25th deadline, and an additional 40 per cent expect to become compliant after the deadline. However a fairy large number of 8 per cent of companies were not sure when they will achieve compliance.
“There is a lot more work to be done for GDPR readiness, this study shows. These findings reflect the demanding nature of GDPR and the anxiety around complying with it,” said Mark Schreiber, McDermott partner and a leader of the Firm’s Global Privacy and Cybersecurity Practice. “A key issue here is prioritizing what can be done in the remaining time before that May deadline and acting on those high risk areas.”
“Compliance is more than just updating your privacy policy, and so it is heartening to see so much wholesale change to workflows and an appreciation that business-as-usual processing will change after May 25,” said Ashley Winton, McDermott London partner and Chairman of the Data Protection Forum. “However, it is particularly interesting to see which sectors are making the most effort to get into compliance, as it is not just consumer or retail facing companies. With markedly disparate levels of compliance expected by May 25, it will be interesting to see what the regulators response will be.”
The survey shows that companies are investing heavily in attempting to achieve GDPR compliance. The average annual budget for compliance is $13 million according to the findings – a figure that one in three companies expects to review annually. More than one in five believe that a budget allocation will continue indefinitely in their organization due to a need to continue with investment in technologies, governance practices and staffing. Respondents believe that the majority of the budget will be spent on Managed Services, followed by Personnel and technology.
“The risks of failing to comply with GDPR have been most often reflected by organizations’ fear of the potential size of the financial penalties that non-compliance could bring about,” said Larry Ponemon, founder of the Ponemon Institute. “The headline figures – fines of up to €20m or 4 per cent of global turnover, whichever is the greater amount – represent a potentially massive fine for companies.”