We’re just about at T-minus two weeks until the EU General Data Protection Regulation (GDPR) deadline hits and consensus is that there are many, many organizations that haven’t even started working on compliance, let alone are in full compliance at this point. The fact is that when May 25 hits, the majority of organizations will be unprepared in some way or other.
“The lack of GDPR preparedness in the industry is concerning, particularly given the risk of regulatory action and the potential impact to a firm’s reputation,” said Robert Baugh, founder and CEO of compliance firm AmberGate. “Many firms will now need to divert significant resource and time to the project—there is clearly still much to do across most organizations. Firms will face growing pressure from an internal governance perspective from investors and from regulators likely to take an increasingly firm stance on the issue.”
This state of affairs has been continually backed up quantitatively by a cascade of surveys, studies and other reports from the industry over the last year or so. Here’s a roundup of some of the most compelling recent numbers.
More Than Half of Firms Globally are not Compliant with GDPR
A recent study of 448 organizations done by KPMG Global Legal Servicesfinds that 54 percent of them are still not. This wasn’t released last year or four months ago—these numbers are from two weeks ago, which means they’re fresh. This study also shows that many leaders at the top may only be giving the regulation lip service. Among organizations that report strong board-level support for GDPR compliance activities, almost a third still haven’t appointed a data protection officer and 45 percent don’t document all of their data processing activity.
Only 13% of U.S. Firms are Fully Compliant with GDPR
According to a study out last month, only 13 percent of U.S. firms have fully complied with the European regulation. On its face that might not sound so bad, but if any of these firms want to do business in Europe, they must toe the line with regard to their customers there. Conducted by CompTIA among 400 companies, this study showed that more than half of respondents are still working just on the GDPR awareness phase. The survey showed that 52 percent are either still exploring the applicability of GDPR, have determined it is not a requirement to their business or are unsure about the applicability.
Even Half of Investment Firms Aren’t Ready
Even in the heavily regulated financial services field—which is used to just about any kind of regulation known to man—GDPR compliance is still relatively low. A month ago Cordium conducted a study among 250 global investment firms and the results showed that 50 percent are unlikely to be ready for GDPR when the deadline hits.
41% of Organizations are a Year or Longer Away from GDPR Compliance
Crowd Research Partners conducted a study among 531 IT and compliance pros worldwide and found that 53 percent of them are more than six months out from compliance and 41 percent are at least a year away. Worst of all, more than 1 in 4 of them say it’ll take four years or longer before they fall into line.
Fewer Than 31% Organizations Have Well-Defined GDPR Plans
A big part of the problem is that many organizations haven’t begun their GDPR compliance processes in earnest yet. Last month the Cloud Security Alliance released a survey of 1,000 organizations worldwide. Around 85 percent of organizations said that they’ve taken steps for compliance, but when further pressed, fewer than 1 in 3 say their plans for meeting GDPR requirements are well-defined.
Two-Thirds of Organizations Aren’t Ready to Disclose Breaches in 72 Hours
One of the big provisos of GDPR is for organizations to publicly disclose data breaches that include European residents’ sensitive info within 72 hours. A study by Enterprise Strategy Group shows that only 33 percent of organizations are ready to meet this mandate. The numbers from this study further back up others, showing that only 11 percent of organizations believe they’re completely prepared for GDPR.
Only 51% Have Systems in Place to Remove Citizen Data on Request
Another tricky mandate of GDPR will be the requirement that organizations remove EU citizen data from their servers upon request from any individual. Nearly half of organizations today say they don’t have all of their ducks in a row yet to be able to comply, according to a study from WinMagic last month. Even more troubling, 1 in 5 organizations say they don’t have any systems in place to comply with this kind of request.