The GDPR’s May 25, 2018 deadline set in motion a mad compliance and security scramble not only for European companies, but also for any company doing business in Europe or with European customers.
We just published a new market research report on GDPR. The purpose of this survey of 262 executives was to quantify – as close to the May 25th deadline as possible – the following three key issues related to GDPR:
- How do organizations view the emerging challenges tied to information privacy and security, and whom have they charged with this task?
- At the deadline, where are organizations in their GDPR journey and how much did they spend to get there? How do they assess their progress in meeting the core requirements of GDPR?
- What kinds of special pain points does unstructured information (i.e., content) raise in GDPR compliance efforts, and which core IIM technologies do organizations see as critical to their efforts?
Prior to the May 25 deadline, there was a wide variety of reporting about how prepared organizations would be:
- “Overall, only 15% of organizations surveyed expect to be fully compliant by May 2018, with the majority instead targeting a risk-based, defensible position.” (Deloitte, 2017)
- Only 43% said they were “very confident” about the core processes their company had in place to comply with GDPR requirements (Forrester, December 2017).
- “A joint survey issued by law firm McDermott Will & Emery and the Ponemon Institute found that just over half of respondents, 52%, said their organizations would be ready by the deadline.”
- “While 11% of organizations are completely prepared for GDPR (i.e., would be ready if it went into effect tomorrow), 33% say they are mostly prepared (i.e., most work done but some tasks left to accomplish), and 44% claim they are somewhat prepared (i.e., organization has identified all the steps to meet the GDPR deadline but are early in the process of completing all tasks).” (CSO Online)
Our findings suggest somewhat of a “good news/bad news” story with regards to the progress organizations had actually made by the deadline:
- Only 30% of organizations said they were 100% ready by the deadline, a bit lower result than was forecast by many prior to the deadline. A further discouraging note is that one in five organizations (21%) had yet to identify a Data Processing Officer.
- On the positive side, an additional 50% said they were 75% of the way toward their objective. This likely reflects a realization by many that they needed to prioritize areas where exposure was greatest. The most common initial steps taken by organizations were 1) examine and recast all of their contractual terms; and 2) get outside assistance in doing so.
- The level of budget dedicated to GDPR compliance is significant, reinforcing many predictions that this was indeed a watershed event. 33% of organizations said their GDPR compliance budget was in excess of €1 million; 15% said it was more than €10 million.
- The average GDPR budget was €3.5 million; the median was €500,000.
- Companies in the US and the UK reported a significantly higher GDPR budget than their European counterparts, perhaps reflecting a stronger initial privacy starting place for European companies.