Only 20pc of organisations are confident they are GDPR-compliant

12 Jul 2018

What are the missing pieces when it comes to GDPR compliance? Image: Jantanee Runpranomkorn/Shutterstock

How do privacy professionals feel about GDPR now the deadline has passed? A new report from TrustArc shows just how much work there is left to do.

GDPR has caused a seismic shift in how organisations manage their data. In the number of weeks since the regulation’s enforcement, privacy professionals around the world are dealing with the repercussions.

Privacy management firm TrustArc carried out a survey of 600 privacy-focused professionals in the beginning of June 2018.

Survey participants had responsibility for privacy as a significant element of their job at companies with 500 employees or more. Participants from the EU, US and UK made up three equal blocks of professionals.

According to the survey, 96pc of organisations have begun their compliance process and a mere 20pc of participants say they are fully GDPR-compliant. While the majority of companies have a significant amount of work to do, 74pc expect to be compliant by the end of 2018 and 93pc at the end of 2019.

There have been some improvements in comparison to research carried out by TrustArc in 2017, when the number of companies in the US having implemented or completed compliance proceedings was at 38pc, compared to 66pc now.

27pc of EU participants are fully compliant, while the US lags behind at 12pc. UK firms come somewhere in the middle, at 21pc compliant.

TrustArc CEO Chris Babel said: “While the amount of effort was immense for the deadline of May 25, there is substantive work yet to complete to achieve initial compliance as well as monitor and maintain compliance on a repeatable and efficient ongoing basis.”

What are the challenges?

According to the survey, the complexity of the regulation was the biggest GDPR challenge, followed by a lack of knowledge and shortage of qualified staff coming in second and third, respectively.

Legal professionals in particular struggled with the lack of technology tools to help them comply; 87pc of companies surveyed required some form of help from a third party, 55pc needed technological tools and 57pc said privacy experts were called in to help professionals understand regulations.

While the majority of respondents have done great work on cookie consent management and policy updates, vendor risk assessments and international data transfer mechanisms are the least advanced compliance areas.

An expensive undertaking

GDPR has been a costly process for many organisations, particularly in the States. 18pc of US respondents shelled out more than $1m on GDPR, while UK and EU individuals said 8pc of total annual budget on average was spent on compliance.

What are the incentives behind compliance?

The number one-reason to comply for participants from all territories was meeting customer expectations, with fines coming in as the fourth most pressing incentive to comply.

In the future, 59pc of all of the companies surveyed are keeping continued GDPR compliance as their main privacy priority for the next six to 12 months. ISO and ePrivacy regulation compliance are further down the list for the majority of respondents.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects