2017 is soon coming to an end, which means that the General Data Protection Regulation (GDPR) will arrive very shortly. This leaves companies with just a few months to get their final GDPR preparations in place to avoid economic sanctions and public scandal. But how far are organizations really in their preparations? Will they be ready? And what about the non-European companies? How much will they all invest in the new personal data regulation and what are their biggest challenges? Will consumers even use their new rights?
We have swept the internet for the newest surveys, predictions and stats on GDPR. And in this blog post we gather everything and give you the latest insights.
How many are compliant or expecting to be?
Unsurprisingly, complying to GDPR is not something anyone can do overnight, and not all the organizations that need to complay will be prepared in time. This pattern is consistent no matter what survey or prediction we look at.
Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be fully compliant with its requirements.
A September 2017 survey from Hubspot shows that less than half of companies surveyed (42%) are prepared for the GDPR, while 22 percent admit that they haven’t done anything yet to prepare for it.
An audit report from W8 Data suggests that up to three quarters of customer data held within UK organizations’ marketing databases will become useless when the GDPR kicks in, due to the new consent requirements. The same audit showed that only 25 percent of existing customer data meets the consent requirements specified under GDPR.
In general, organizations are far from compliant or not even close to being compliant. However, many are on their way which is a giant leap in the right direction.
According to an Exonar survey, 61 percent of their UK respondents say they are on course to being GDPR compliant, while 6 percent believe they already are. A further 16 percent state that they have a plan but have not started to implement it yet (they will be in a hurry!). However, 16 percent of respondents said they haven’t even thought about GDPR. But what’s most shocking; 6 percent are waiting for Brexit to come into force, hoping it will mean that the GDPR won’t apply to them.
Unfortunately, it is a common misconception that Brexit means that UK companies are not covered by the GDPR. They are just as obligated as European, American, Australian or Chinese companies as long as they manage personal data on citizens residing in the European Union. And even if they aren’t, the UK is expected to follow EU’s lead on data protection and introduce personal data legislation that mirrors the GDPR as closely as possible. So, with the complexity of solving the GDPR requirements in mind, these organizations have a lot of work to do and should get started as soon as possible.
If we look to the U.S., the tendency is similar: They are in a hurry.
According to a survey by Compuware Corporation, 94 percent of the CIOs of large U.S. corporations surveyed say their companies are holding personal information on European citizens, making them lawfully obliged to comply with the GDPR. However, the survey shows that only 60 percent have detailed plans in place to address its requirements.
According to Spiceworks’ recent survey, only 9 percent of IT pros in the U.S. have an understanding of what the regulation entails. Furthermore, 43 percent of U.S. based IT pros don’t believe GDPR will affect their organization.
The good news is that the GDPR seems to receive increasing attention outside of EU. In a recent survey, PwC asked C-suite executives from large American multinationals about their data privacy and security agenda. 54 percent did report that GDPR readiness is the highest priority, while another 38 percent said GDPR is one of several top priorities. Only 7 percent said it isn’t a top priority.
What are the top challenges?
Why are companies so cautious in initiating the processes? Perhaps because most of them have huge challenges solving GDPR’s requirements (Some of them were also uncovered more in-depth in this blog post: Solved! 4 Biggest Personal Data Challenges of the General Data Protection Regulation)
A survey by Varonis Systems shows that over 90 percent of respondents see challenges complying with GDPR by the deadline. So, what’s the problem? In Exonar’s previously mentioned survey, almost one in five organizations (18%) admitted they don’t know where the relevant data is.
According to same survey, top three challenges for companies are:
1. Carrying out the so-called “Right to be forgotten,” where individuals can demand to have all their personal data deleted upon request (55% find this challenging).
2. Identifying personal information on their systems, understanding who has access to it, who is accessing it, and knowing when this data can and should be deleted (52% face this challenge).
3. Providing accountability via data owners and documenting that policies and processes are in place and successful (50% struggle with this)
According to SAS, these challenges are even bigger for large organizations and financial institutions, who have more difficulty finding stored personal data than other organizations.
How much will businesses spend on it?
The companies’ hesitation may also be due to the prospect of the massive bill expected to land on the corporate desks as a result of the changes. The changes required to meet the GDPR do indeed not come for free. Financial spending on GDPR is inevitable, and the investment is forecasted to be pretty immense. Research by Veritas Technologies suggests that companies will be spending an average of €1.3 million on systems and training to comply with the GDPR.
Other research made by TrustArc gives a more detailed view on what different sized companies are expecting to be spending on being GDPR compliant. According to the survey, 53 percent of companies with 500-1000 employees expect to spend between $100,000 and $500,000, while 23 percent of companies with more than 5,000 employees expect to be spending more than $1 million on GDPR compliance. The largest companies expect to spend somewhere in the range of $28 to $48 million.
Organizations in U.S. will also invest heavily in the GDPR. Around one in four U.S. organizations (24%) plan to spend under $1 million on GDPR preparations. However, 68 percent say they will invest between $1 million and $10 million, while 9 percent expect to spend over $10 million. Unfortunately, the GDPR may also have very negative consequences for some, as 32 percent of the respondents say that they plan to reduce their presence in Europe, while 26 percent intend to exit the EU market altogether.
Are consumers aware and what will they do with their new rights?
It’s one thing that organizations are prepared, another that the public is, raising the question: Do consumers know that they’ll be armed with powerful data rights in six month’s time? And will they use them? According to research carried out for DataIQ by Research Now, just one in ten consumers say they are very aware of the new data protection law and their new rights. Meanwhile, 24 percent are only slightly aware and 38 percent said they are not aware at all that the law is changing.
However, another poll from SAS shows that nearly half (48%) of UK adults plan to activate their new personal data rights, and 15 percent of these people even expressed that they intend to use their new rights in the same month that the GDPR comes into force (May 2018).
The previously mentioned Hubspot survey shows that 59 percent of Europeans will take advantage of the “right to be forgotten” that forces companies to completely delete their data from their databases. The same survey suggests that 55 percent will opt out of having their personal data stored and will request to see all the information a company holds about them. An astounding 91 percent of the same consumers expect companies they work with to be completely transparent about how their data is being used
Turning the tables: What can be gained from GDPR?
Based on these stats, most companies will probably agree that the transition to the GDPR is a lot of work. However, companies shouldn’t merely see the GDPR as a burden but also as an opportunity to clean up their data and reap additional rewards from good data management (which we wrote more about in this blog post: Preparing for GDPR – burden or opportunity?). In fact, the organizations that manage to solve the GDPR efficiently will possibly be rewarded with customer loyalty and process optimizations.
Exonar’s survey shows that 71 percent of businesses believe that their data governance - and their IT capabilities (37%) - will improve as a result of the GDPR. A further 30 percent agree that complying with the GDPR will improve their image and 29 percent that customer satisfaction will be higher.
As we approach deadline, it will be interesting to see if organizations will speed up and prioritize GDPR compliance higher. Most of them will certainly need to, if they are going to be able to meet consumer expectations after 25 May 2018.