Research by the Capgemini Research Institute has found that just 28% of companies have successfully achieved compliance, over a year since the law came into effect. Compliance was highest in the US (35%), followed by the UK and Germany (both on 33%), and lowest in Spain and Italy (both on 21%), and Sweden (18%). Compliance is being pushed out to suppliers and contractors as well, with vendors also being audited.
Given the costs of complying and the need for advanced technology is proving and monitoring compliance, the US lead is perhaps not so surprising.
Executives identified the challenges of aligning legacy IT systems (38%), the complexity of the GDPR requirements (36%) and prohibitive costs to achieve alignment with regulations (33%) as barriers to achieving full GDPR compliance. Technology is a key enabler for compliant organizations - organizations compliant with GDPR, in comparison with non-complying organizations, were more likely to be using cloud platforms (84% vs. 73%), data encryption (70% vs. 55%), Robotic Process Automation (35% vs. 27%) and industrialized data retention (20% vs. 15%).
While 82% of GDPR compliant organizations had taken steps to ensure their technology vendors were compliant with relevant data privacy regulations, only 63% of non-compliant companies could say the same. A majority (61%) of the compliant organizations said they audit sub-contractors for data-protection compliance, compared to 48% of non-compliant companies.
The research surveyed 1100 senior executives, across eight sectors at companies headquartered in France, Germany, Italy, Netherlands, Norway, Spain, Sweden, UK, US, and India.
As organizations struggle to comply, they are actually making significant investments to fulfil the costs of increased professional fees to support GDPR alignment; 40% expect to spend more than $1m on legal fees and 44% on technology upgrades in 2020. In addition, organizations face a new challenge - the adoption of new legislation in different countries outside the European Union.
Opportunities are being lost by companies which fail to achieve GDPR compliance, it seems. Of the organizations that have achieved compliance, 92% said they gained competitive advantage, something only 28% expected last year. The vast majority of executives from firms which achieved compliance said it had a positive impact on customer trust (84%), brand image (81%) and employee morale (79%). Executives from compliant firms also identified positive second-order effects of implementing GDPR, including improvements in IT systems (87% vs. 62% who anticipated this in 2018), cybersecurity practices (91% vs. 57%) and organizational change and transformation (89% vs. 56%).
The survey found a clear gap in technology adoption between compliant organizations and those lagging behind. Organizations compliant with GDPR, in comparison with non-complying organizations, were more likely to be using cloud platforms (84% vs. 73%), data encryption (70% vs. 55%), Robotic Process Automation (35% vs. 27%) and industrialized data retention (20% vs. 15%).
Robert Baugh, Founder & CEO of Keepabl the GDPR-as-a-Service solution: "This survey is a welcome dose of realism. I believe that organisations have not wanted to report that they're not compliant (and they've no idea how to get there). So I've always seen surveys showing 50%+ as compliant as wholly inaccurate, based on my experience in the market. 28% sounds much more realistic (amongst large entities, it will be far lower amongst smaller entities), as does the benefit from being GDPR compliant - which we see and hear regularly. Cisco publish an annual survey which shows GDPR compliance bringing a roughly 40% reduction in breach risk and loss, and the same positive effect on revenue acceleration, so this study ties in well with that. Our service gives people a simple, structured and practical way to move to and maintain GDPR compliance, in conjunction with their trusted adviser such as their MSP. And given an MSP's typical client base is SME, I bet fewer than 28% of those will be compliant."
"Many previous surveys have indicated that organisations in the US are happier spending more on compliance, and technology to support compliance. However, it's still surprising that the US GDPR compliance figure is higher than Germany and the UK (I'd expect Germany to have higher compliance levels than the UK at present). I suspect that this may be to do with the survey population, but the survey results are still a wake-up call to UK (and EEA) businesses."