These results are compared to a GDPR readiness survey last year which found that 78 percent expected to be prepared by the time the regulation came into effect in May 2018. However, organizations are realizing the benefits of being compliant. 81 percent of those that are say GDPR has had a positive impact on their reputation and brand image.
The “Championing Data Protection and Privacy – a Source of Competitive Advantage in the Digital Century” report finds that companies have responded to new requirements more slowly than they expected, citing barriers including the complexity of regulation requirements, costs of implementation and challenges of legacy infrastructure. Meanwhile, a significant number of organizations are investing heavily in data protection and privacy to ensure compliance with existing regulations, and to lay the foundation for those to come.
Enterprises have fallen behind on GDPR compliance
Although over a year has passed since GDPR went into effect, the position of many enterprises remains uncertain in terms of compliance. 28 percent of organizations say they have achieved compliance. However, just 30 percent of organizations are “close to” complete compliance but still actively resolving pending issues. Compliance was highest with companies in the US (35 percent), followed by the UK and Germany (both on 33 percent), and lowest in Spanish, Italian, (both on 21 percent) and Swedish companies (18 percent).
Executives identified barriers to achieving full GDPR compliance as the challenges of aligning legacy IT systems (38 percent); the complexity of the GDPR requirements (36 percent); and prohibitive costs to achieve alignment with regulations (33 percent). The volume of queries from data subjects has also been extremely high: 50 percent of US companies covered by GDPR have received over 1,000 queries, as did 46 percent of French companies, 45 percent in the Netherlands and 40 percent in Italy.
As organizations struggle to comply, they are actually making significant investments to fulfil the costs of increased professional fees to support GDPR alignment; 40 percent expect to spend more than $1m on legal fees and 44 percent on technology upgrades in 2020. In addition, organizations face a new challenge – the adoption of new legislation in different countries outside the European Union.
Benefits of being GDPR compliant
Companies who fail to achieve GDPR compliance lose opportunities. Of the organizations that have achieved compliance, 92 percent said they gained competitive advantage, something only 28 percent expected last year. The vast majority of executives from firms which achieved compliance said it had a positive impact on customer trust (84 percent), brand image (81 percent) and employee morale (79 percent).
Executives from compliant firms also identified positive second-order effects of implementing GDPR, including improvements in IT systems (87 percent vs. 62 percent who anticipated this in 2018), cybersecurity practices (91 percent vs. 57 percent) and organizational change and transformation (89 percent vs. 56 percent).
Technology is a key enabler
The survey found a clear gap in technology adoption between compliant organizations and those lagging behind. Organizations compliant with GDPR, in comparison with non-complying organizations, were more likely to be using cloud platforms (84 percent vs. 73 percent), data encryption (70 percent vs. 55 percent), Robotic Process Automation (35 percent vs. 27 percent) and industrialized data retention (20 percent vs. 15 percent).
82 percent of GDPR compliant organizations had taken steps to ensure their technology vendors were compliant with relevant data privacy regulations. However, only 63 percent of non-compliant companies could say the same. A majority (61 percent) of the compliant organizations said they audit sub-contractors for data-protection compliance, compared to 48 percent of non-compliant companies.