Horrorshow, or, not half bad. Studies differ widely on GDPR readiness
The seemingly endless studies on corporate readiness for the pending General Data Protection Regulation demonstrate that data truly can be made to say just about anything. And if recent surveys are to be believed, organizations are either fairly well prepared for the new data privacy mandate … or they will fail miserably at compliance.
As evidence, consider the results of two different studies of GDPR compliance readiness that were both released this week. One paints a fairly optimistic picture of corporate readiness. The other tells a tale of doom.
First, for the good news.
Companies are taking the new General Data Protection Regulation much more seriously than the Health Insurance Portability and Accountability (HIPAA) and Payment Card Industry Security Standards Council (PCI SSC), according to a survey conducted by Propeller Insights on behalf of Web application security company Netsparker.
About half of the more than 300 senior security executives surveyed online in March (49 percent) said their organizations are 75 percent of the way through the process of being compliant with GDPR, a set of regulations the European Union (EU) to protect citizens’ sensitive data from cyber security breaches. Organizations that fail to comply will face penalties when GDPR goes into effect May 25, 2018.
More than two thirds of the organizations (71 percent) are confident that they’ll be fully compliant by the deadline, but many of the organizations surveyed still are not compliant with PCI and HIPAA, the report said.
In preparation for GDPR, 57 percent of companies are re-engineering internal systems and procedures, 55 percent are recruiting new people specifically to tackle GDPR compliance, and 48 percent are re-engineering internal security teams.
For some, the cost of GDPR compliance will be steep, the report said. About one quarter of the organizations (24 percent) will spend between $100,000 and $1 million, and one in 10 said GDPR compliance will cost their business more than $1 million.
Now, for the bad news.
A study by SAS on global readiness reveals that only 7 percent of U.S. organizations consider themselves as GDPR compliant at this time, and only 30 percent expect to be by the May 25, 2018 deadline.
The picture is slightly better in Europe, where 53 percent of organizations surveyed expect to be GDPR compliant by May 25. Among global organizations, expected compliance falls to 46 percent.
The SAS survey does agree that data privacy is getting more attention, fueled in large part by the recent revelations of data sharing by Facebook with Cambridge Analytica. It also agrees that the financial implications of non-compliance with GDPR have served as a wake-up call for many organizations on the need for better data transparence and security.
Some 93 percent of organizations in the SAS study do have a compliance plan in place, or they expect to have one. A majority of respondents also expect to gain long-term benefits in the areas of data management and data governance.
“Consumers are now demanding the kind of trust that GDPR requires,” noted Todd Wright, senior product marketing manager at SAS. “Organizations that comply will have much stronger data management that leads to increased productivity and a better understanding and ability to serve their customers.”
Anticipated benefits from GDPR compliance and data privacy efforts, according to the SAS survey respondents are:
- Improved data governance (cited by 84 percent)
- Increased trust between organizations and their customers (cited by 68 percent)
- Improved personal data quality
- Improved organizational image
- Movement toward being a data-driven organization