Over a year on from the introduction of the General Data Protection Regulation (GDPR), the Capgemini Research Institute has found that companies vastly overestimated their readiness for the new regulation with just 28% having successfully achieved compliance.
This is compared to a GDPR readiness survey last year which found that 78% expected to be prepared by the time the regulation came into effect in May 2018. However, organizations are realizing the benefits of being compliant: 81% of those that are say GDPR has had a positive impact on their reputation and brand image.
Companies have responded to new requirements more slowly than they expected, citing barriers including the complexity of regulation requirements, costs of implementation and challenges of legacy infrastructure.
Meanwhile, a significant number of organizations are investing heavily in data protection and privacy to ensure compliance with existing regulations, and to lay the foundation for those to come.
Enterprises have fallen behind on GDPR compliance
Although over a year has passed since GDPR went into effect, the position of many enterprises remains uncertain in terms of compliance. While 28% of organizations say they have achieved compliance, just 30% of organizations are “close to” complete compliance but still actively resolving pending issues.
Compliance was highest with companies in the US (35%), followed by the UK and Germany (both on 33%), and lowest in Spanish, Italian, (both on 21%) and Swedish companies (18%).
Executives identified the challenges of aligning legacy IT systems (38%), the complexity of the GDPR requirements (36%) and prohibitive costs to achieve alignment with regulations (33%) as barriers to achieving full GDPR compliance.
The volume of queries from data subjects has also been extremely high: 50% of US companies covered by GDPR have received over 1,000 queries, as did 46% of French companies, 45% in the Netherlands and 40% in Italy.
As organizations struggle to comply, they are actually making significant investments to fulfil the costs of increased professional fees to support GDPR alignment; 40% expect to spend more than $1m on legal fees and 44% on technology upgrades in 2020.
In addition, organizations face a new challenge – the adoption of new legislation in different countries outside the European Union.
Benefits of being GDPR compliant are greater than expected
Opportunities are being lost by companies which fail to achieve GDPR compliance. Of the organizations that have achieved compliance, 92% said they gained competitive advantage, something only 28% expected last year.
The vast majority of executives from firms which achieved compliance said it had a positive impact on customer trust (84%), brand image (81%) and employee morale (79%).
Executives from compliant firms also identified positive second-order effects of implementing GDPR, including improvements in IT systems (87% vs. 62% who anticipated this in 2018), cybersecurity practices (91% vs. 57%) and organizational change and transformation (89% vs. 56%).
Technology is a key enabler for compliant organizations
The survey found a clear gap in technology adoption between compliant organizations and those lagging behind.
Organizations compliant with GDPR, in comparison with non-complying organizations, were more likely to be using cloud platforms (84% vs. 73%), data encryption (70% vs. 55%), Robotic Process Automation (35% vs. 27%) and industrialized data retention (20% vs. 15%).
Furthermore, while 82% of GDPR compliant organizations had taken steps to ensure their technology vendors were compliant with relevant data privacy regulations, only 63% of non-compliant companies could say the same.
A majority (61%) of the compliant organizations said they audit sub-contractors for data-protection compliance, compared to 48% of non-compliant companies.
The effort to maintain data protection and privacy compliance is a continuing one
Organizations need to have the right philosophy about data protection and privacy, and it is best to approach it proactively, rather than solely as a compliance activity.
“The GDPR is not something you will ever be done with. It is something that you need to work on continuously,” says Michaela Angonius, Vice President and Head of Group Regulatory and Privacy, Telia Company.
“We started raising awareness internally, long before the law was adopted. This was because we foresaw that this would be one of the biggest compliance projects that we would undertake in the company’s history.”
“This research underscores both the challenges for companies in achieving GDPR compliance, and the exciting opportunities for those that do,” said Zhiwei Jiang, CEO of Insights & Data at Capgemini.
“Clearly, many executives were over-ambitious in their expectations last year, and have now realized the extent of investment and organizational change that is required to achieve compliance: from implementing advanced technologies that support data protection to embedding a privacy and data protection mindset among employees.
“However, organizations must recognize the higher-than-expected benefits of being compliant, such as increased customer trust, improved customer satisfaction, strengthened employee morale, better reputation, and positive impact on revenue. These benefits should encourage every organization to achieve full compliance.”