With just over six months to go before the European Union’s General Data Protection Regulation (GDPR) comes into force, it appears US companies are better prepared than their European counterparts*
According to a joint report from the International Association of Privacy Professionals (IAPP) and TrustArc, a technology compliance company, 84% of US respondents expect to be GDPR-compliant by May 25, 2018, compared with 72% of Europeans.
TrustArc and the IAPP surveyed nearly 500 privacy professionals split evenly between the US and EU, asking them to rank perceived risk on a five-point scale, with 1 indicating no risk and 5 showing high risk.
Companies and organisations around the world have been keeping a close eye on the GDPR, which will introduce tough restrictions on how consumer data is collected and stored. Failure to comply carries the risk of fines of up to €20m or 4% of global turnover, whichever is the greater.
In their overall assessment of their preparedness, the respondents identified the four greatest compliance risks as: the GDPR’s 72-hour breach notification, data inventory and mapping, obtaining user consent, and managing international data transfers.
However, there were differences between the American and European privacy professionals, with the former identifying international data transfers as the top compliance risk, while Europeans cited failure to be prepared for a data breach.
And in terms of barriers to compliance, US firms cited the complexity of GDPR requirements as the largest hurdle, while EU firms pointed to a lack of appropriate budget.
Regardless of confidence levels, all respondents agreed that the number one way to mitigate GDPR compliance risk is privacy training, followed by investment in privacy and data protection technology, such as data mapping tools.
“Working with our customers, we find that the most effective strategy to achieve compliance is based on building employee expertise and know-how, combined with technology platforms that enable the next-generation processes and routines necessary to efficiently do things like identify and map user data and manage user consent,” said Chris Babel, CEO of TrustArc.
Separately, the Direct Marketing Association (DMA) in the UK released the latest findings of its ongoing study into the preparedness of marketers for the new regulations.
It found that about three-quarters reported having good awareness (77%) and are prepared (74%), although two-thirds (64%) believe their organisations will be “very” or “extremely” affected by the new rules and another 65% think the GDPR will hinder marketing.
* GDPR Watchdog can’t wait to test that thesis…., Empowering EU Consumers we will help the data subjects write to American companies to provide the requested information on how their personal data is used and verify US firms are in full compliance of the GDPR law. Looking forward to May 25th as the news above from November 10th is more in line with our experience:
A recent HyTrust survey [PDF] of 323 attendees at the VMworld 2017 conference in Las Vegas, Nevada found that just 21 percent of respondents said their companies are concerned about GDPR compliance regulations and have a plan in plan for it.
Another 27 percent are concerned about GDPR but have no plan in place for it, 23 percent aren’t concerned and have no plan in place, and 29 percent are unaware of GDPR’s relevance to their organization.
“If you think GDPR doesn’t apply to your organization, think again,” HyTrust president and founder Eric Chiu said in a statement.
“Most organizations today are very aware of their security risks, but are not as far along with technology and processes to meet the GDPR compliance requirements, despite a May 2018 deadline that has significant fines for failure to comply,” Chiu added.
The survey also found that 22 percent of respondents are not using public clouds at all, and that the leading public cloud risk cited by respondents was “malicious or accidental exposure of workload data.”
Still, 10 percent of respondents admitted that they don’t encrypt data in public cloud deployments.
A separate Carbon Black survey of 120 business decision makers found that while 86 percent of respondents said they’re “reasonably” or “very” confident in their ability to comply with GDPR requirements regarding users’ rights to control all aspects of their personal data, 58 percent aren’t yet leveraging recognized frameworks or technologies to assess data risk.
The survey, conducted with Computing Magazine, also found that less than 10 percent of respondents believe their toolsets for classifying critical data and prioritizing risk to data are effective and easy to manage.
Twenty-four percent of respondents admitted they’re unsure whether their company conducts Data Protection Impact Assessments as required by GDPR, and 13 percent said they definitely don’t conduct them.
“In order to effectively identify and neutralize data breaches, it’s essential to know what constitutes normal network behaviors versus what is suspicious,” Carbon Black senior director for compliance and governance programs Chris Strand said in a statement.
“Failing to align the right data protection toolsets with people and processes, many organizations are at risk of non-compliance with the GDPR and, more importantly, putting their customers’ information in jeopardy,” Strand added.
Investing in Compliance
A recent IAPP-EY survey of 548 privacy professionals worldwide found that fully 95 percent of respondents, more than 75 percent of whom are located outside the EU, say the GDPR applies to their organization.
Seventy-five percent of EU survey respondents said GDPR compliance is the main reason for their privacy program. The same is true for 50 percent of U.S. respondents.
Responding organizations expect to hire a total of more than two full-time employees just to help with GDPR compliance.
Fifty-five percent of respondents plan to invest in technology to help with GDPR compliance, up from just 29 percent last year — and 63 percent plan to invest in training, up from 50 percent in 2016.
“Even though the EU’s GDPR has yet to take effect, organizations the world over are spending money on hiring and promoting privacy staff, training employees on privacy, purchasing technology to help with GDPR compliance, and pushing privacy awareness into every corner of the firm,” the report states.
Still, just 40 percent of respondents believe they’ll be fully compliant by next May’s GDPR deadline.
UPDATED MAY 19th, We are now less than a one week away from GDPR coming into force, the companies have had 2 years to prepare and GDPRwatchdog’s estimated guess is that less than 20% are fully compliant. This is very much in line with the European Data Protection Authority, also here only 20% of the DPA’s are fully operational and ready to audit and prosecute.
This article is sponsored by:
Show your customers that you care about their privacy! European Center for GDPR Certification is the “Consumer Trust Body” of the General Data Protection Regulation. Visit GDPRcertified.org to read about how to add “GDPR TRUST SEAL”™ to your website in order to gain more business and distance you from the not so serious businesses – It Pays Off!