Prudent technology spending is crucial to meeting GDPR standards by the 2018 deadline, but one in four privacy professionals in Europe doubt their company will be ready in time, according to new research.
Investment in training is the number one action to avoid fines over non-compliance to the GDPR, the report from International Association of Privacy Professionals (IAPP) and Ernst & Young confirms. Other necessary steps include appointing a Data Protection Officer (DPO) before the May 25 implementation date.
Failing to prepare for data breach notification is the highest concern among survey respondents, whereas inability to carry out data inventory and mapping came in second. In third place is not obtaining data subject consent and improperly handling international data transfers.
Analysts estimate the cost of enabling customers to request Fortune 500 companies to find and delete data held on them could hit $7.8bn, the FT reports. This amounts to a rough average of $16m outlay per organisation.
Companies failing to comply with the Brussels regulation would face a fine of €20 million or four percent of the firm’s annual global turnover, whichever is greater.
Stateside data security managers are on the whole more optimistic than their European counterparts, with 84% of US respondents confident of GDPR compliance by late May. Research suggests EU privacy bosses are either more honest or possibly lacking in resources, with one in four admitting their firm will likely miss the summer deadline. This figure stands despite organisations saying they have upped privacy budgets, hired additional privacy staff and increased spending on new technology, as well as increasing privacy training.
Lack of clarity on the GDPR’s implications is a roadblock for companies. A third of respondents (32%) said the biggest barrier to compliance is the sheer complexity of the GDPR. However, this is mainly a concern of US companies, with 38% of stateside privacy professionals ranking this aspect as their main concern. EU respondents name inadequate budget as their greatest hurdle, with legal complexity a close second. One in five of all respondents believe “too little time” could stand in the way of GDPR compliance.
Why GDPR is the perfect time to overcome inefficiencies & future proof your business
How the UK’s Data Protection Bill and GDPR will work together
GDPR and what it means for your business
The report revealed that companies are already making key changes to their data management infrastructure. Encouragingly, a quarter of participants (24%) stated they were least concerned about non-compliance owing to lack of a DPO, most likely because they have already appointed one. Analysts estimate that 35% of EU respondents are already in compliance with the stipulation for a dedicated DPO.
Trevor Hughes, president of the IAPP, said hiring lawyers and consultants in a bid to beat non-compliance risks is “a rolling cost”. Mr Hughes said: “May 2018 is by no means the end point as companies will have to invest in educating their employees in the new data framework”.
IAPP surveyed 498 privacy professionals, most of whom work for organizations headquartered in either the United States (44%) or the European Union (including the United Kingdom, 44%). 4% were Canadian and just over 3% from non-EU countries in Europe.