A significant percentage of U.S. companies are uncertain about or unprepared for the European Union’s General Data Protection Regulation (GDPR) that takes effect in just two weeks, according to a new survey by technology association CompTIA.
Just 13 percent of firms say they are fully compliant with GDPR, with another 23 percent reporting being mostly compliant, while 12 percent say they are somewhat compliant. However, a full 52 percent of 400 U.S. companies surveyed are either still exploring the applicability of GDPR to their business, have determined that GDPR is not a requirement for their business, or are unsure.
Those unsure companies appear to be the norm among the unprepared. “Confusion about the regulations remains a significant problem for many companies,” said Todd Thibodeaux, CompTIA president and CEO, in a news release. “Only one in four respondents claim to be very familiar with GDPR. Some believe it applies primarily to companies in the EU; others, only to large multinational corporations. Alarmingly, three in ten companies believe GDPR does not go into effect until the end of 2018.”
Nearly two-thirds of firms are unaware of the hefty GDPR fine structure for non-compliance
“With fines that could potentially reach the greater of 20 million euros or four percent of annual revenue, companies subject to the regulations are running a huge financial risk by failing to put a GDPR plan in place,” Thibodeaux said.
In preparing for GDPR, 22 percent of firms have developed a compliance plan. A similar percentage (21 percent) have conducted data audits and readiness assessments, including review of existing privacy policies, terms of services and consent protocols.
Despite the time and cost associated with GDPR compliance, most U.S. companies acknowledge receiving secondary benefits from the exercise. Nearly one in three companies see value in conducting an internal data audit, while 29 percent cite the benefits of reviewing and updating their data breach notification plan.
GDPR may have prompted some companies to examine their approach to data governance
Though relatively few companies (12 percent) have dedicated data governance officers or chief data officers that may change. One in four large companies surveyed indicate a strong likelihood to hire a data governance or chief data officer within the next two years.
The survey also finds that U.S. companies are split on whether GDPR will impact their business opportunities in the EU. About one-third of the firms surveyed do not believe GDPR will have an impact on their current or future approach to business in the EU. Another third indicate GDPR may negatively impact their desire to engage in business activities in countries governed by GDPR. The remaining one-third of firms are unsure.
The CompTIA research brief “The State of GDPR Preparedness in the U.S.” is based on the results of an April 2018 online survey of executives and professionals with some level of data responsibility for their organizations. A total of 400 individuals from small, medium and large companies across every industry sector of the U.S., economy participated in the survey. The complete research brief is available at CompTIA Insight & Tools.