Even if given two years notice to achieve GDPR compliance, only half of companies self-reported as compliant by May 25, 2018, a DataGrail survey reveals.
“The Age of Privacy: The Cost of Continuous Compliance” report benchmarks the operational impact of the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as sharing insights into lessons learned and attitudes toward privacy regulations.
DataGrail surveyed more than 300 U.S. privacy management decision makers; including IT, operations, security, legal, and risk and compliance professionals.
“Businesses without a European presence were not impacted by the GDPR. However, with the CCPA fast approaching, US businesses without GDPR are experiencing the same challenges that multinational companies did with GDPR,” said Daniel Barber, Co-founder & CEO, DataGrail.
“Most companies reported taking at least seven months to achieve GDPR readiness, but now with CCPA only seven months away, they realize their systems will not support CCPA and other forthcoming privacy regulations. Companies will need to integrate and operationalize their privacy management to avoid the time-consuming and error-prone manual processes to comply with these regulations.”
GDPR compliance took longer than expected
- Only half of companies achieved self-reported compliance before the May 25, 2018 deadline.
- Most companies took seven months or longer to achieve readiness.
Even GDPR readiness is costly
- Two-thirds of companies assigned dozens, or even hundreds, of employees to manage GDPR compliance. Based on survey results, it’s likely the average organization spent 2000 – 4000 hours in meetings preparing for GDPR – more than a full year of work.
- Half of privacy management decision makers spent at least 80 hours personally preparing for GDPR, and another 80 hours to sustain compliance – also a full month of work.
Privacy rights requests are time-consuming and error-prone
- Half of companies use manual processes to manage GDPR privacy rights requests, such as the right to be forgotten.
- Two-thirds of companies have processed at least 100 requests in the past year, across dozens of business systems and third-party services, and most of them have at least 25 employees involved in request management. That’s thousands of touch points with the potential to introduce human error – the overwhelming majority of privacy professionals are working to reduce the risk of manual error in these requests.
CCPA compliance programs face the same challenges as GDPR programs
- Two-thirds of privacy professionals believe it will take less than six months to prepare for CCPA, even though most reported it took seven months or longer to prepare for GDPR. Even worse, technology adoption rates for CCPA are lower than they were for GDPR — companies are primarily training employees to manage privacy regulations — increasing cost and risk of ongoing compliance.
Companies will be challenged by the future of privacy regulations
- Most companies are approaching privacy regulations on a case-by-case basis; two-thirds of privacy professionals agree the systems they have put into place will not support new regulations.
- 90% of companies plan to hire at least three new employees in the next two years to manage privacy regulations, but only one-third of companies are automatically updating their data inventory.
“It is evident from this research that most companies still rely on piecemeal technology solutions and manual processes, when they should be turning to privacy management solutions purpose-built for privacy regulations,” said Barber.
“As companies turn their attention from GDPR to CCPA and beyond, they must operationalize sustained compliance to reduce risk, provide transparency for their customers, and control operational costs.”