Over a year on from the introduction of the General Data Protection Regulation (GDPR), Capgemini Research Institute has found that companies vastly overestimated their readiness for the new regulation with just 28 per cent having successfully achieved compliance; this is compared to a GDPR readiness survey last year which found that 78 per cent expected to be prepared by the time the regulation came into effect in May 2018. However, organizations are realizing the benefits of being compliant: 81 per cent of those that say GDPR has had a positive impact on their reputation and brand image.
The new reports finds that companies have responded to new requirements more slowly than they expected, citing barriers including the complexity of regulatory requirements, costs of implementation and challenges of legacy infrastructure. Meanwhile, a significant number of organizations are investing heavily in data protection and privacy to ensure compliance with existing regulations, and to lay the foundation for those to come.
Key findings from the report include:
Enterprises have fallen behind on GDPR compliance
Although over a year has passed since GDPR went into effect, the position of many enterprises remains uncertain in terms of compliance. While 28 per cent of organizations say they have achieved compliance, just 30 per cent of organizations are “close to” complete compliance but still actively resolving pending issues. Compliance was highest with companies in the US (35 per cent), followed by the UK and Germany (both on 33 per cent), and lowest in Spanish, Italian, (both on 21 per cent) and Swedish companies (18 per cent).
Executives identified the challenges of aligning legacy IT systems (38 per cent), the complexity of the GDPR requirements (36 per cent) and prohibitive costs to achieve alignment with regulations (33 per cent) as barriers to achieving full GDPR compliance. The volume of queries from data subjects has also been extremely high: 50 per cent of US companies covered by GDPR have received over 1,000 queries, as did 46 per cent of French companies, 45 per cent in the Netherlands and 40 per cent in Italy.
As organizations struggle to comply, they are actually making significant investments to fulfil the costs of increased professional fees to support GDPR alignment; 40 per cent expect to spend more than $1m on legal fees and 44 per cent on technology upgrades in 2020. In addition, organizations face a new challenge – the adoption of new legislation in different countries outside the European Union.
Benefits of being GDPR compliant are greater than expected
Opportunities are being lost by companies which fail to achieve GDPR compliance. Of the organizations that have achieved compliance, 92 per cent said they gained a competitive advantage, something only 28 per cent expected last year. The vast majority of executives from firms which achieved compliance said it had a positive impact on customer trust (84 per cent), brand image (81 per cent) and employee morale (79 per cent). Executives from compliant firms also identified positive second-order effects of implementing GDPR, including improvements in IT systems (87 per cent vs. 62 per cent who anticipated this in 2018), cybersecurity practices (91 per cent vs. 57 per cent) and organizational change and transformation (89 per cent vs. 56 per cent).
Technology is a key enabler for compliant organizations
The survey found a clear gap in technology adoption between compliant organizations and those lagging behind. Organizations compliant with GDPR, in comparison with non-complying organizations, were more likely to be using cloud platforms (84 per cent vs. 73 per cent), data encryption (70 per cent vs. 55 per cent), Robotic Process Automation (35 per cent vs. 27 per cent) and industrialized data retention (20 per cent vs. 15 per cent).
Furthermore, while 82 per cent of GDPR compliant organizations had taken steps to ensure their technology vendors were compliant with relevant data privacy regulations, only 63 per cent of non-compliant companies could say the same. A majority (61 per cent) of the compliant organizations said they audit sub-contractors for data-protection compliance, compared to 48 per cent of non-compliant companies.
The effort to maintain data protection and privacy compliance is a continuing one
Organizations need to have the right philosophy about data protection and privacy, and it is best to approach it proactively, rather than solely as a compliance activity. “The GDPR is not something you will ever be done with. It is something that you need to work on continuously,” says Michaela Angonius, VP and head of group regulatory and privacy, Telia Company. “We started raising awareness internally, long before the law was adopted. This was because we foresaw that this would be one of the biggest compliance projects that we would undertake in the company’s history.”
“This research underscores both the challenges for companies in achieving GDPR compliance and the exciting opportunities for those that do,” said Zhiwei Jiang, CEO of insights & data at Capgemini. “Clearly, many executives were over-ambitious in their expectations last year, and have now realized the extent of investment and organizational change that is required to achieve compliance: from implementing advanced technologies that support data protection to embedding a privacy and data protection mindset among employees. However, organizations must recognize the higher-than-expected benefits of being compliant, such as increased customer trust, improved customer satisfaction, strengthened employee morale, better reputation, and positive impact on revenue. These benefits should encourage every organization to achieve full compliance.”