While the lead up to the enforcement date of the European Union’s (EU) General Data Protection Regulation (GDPR) was highly publicized, a recent survey suggests that most U.S. companies are unprepared to comply … if they’re aware at all. The May 2018 online survey was conducted by CompliancePoint, an information security and risk management firm. The survey asked respondents questions directed not just at preparation, but also how they expect GDPR will affect their businesses.
Of the approximately 1,300 respondents, only 29% said that they were fully aware of GDPR, 45% were somewhat aware, with 26% stating they were unaware altogether. Only 24% of respondents felt that their organization was prepared to deal with GDPR compliance, while 36% said their organizations were unprepared, and another 9% noting that they were unsure of where their organization stood regarding the regulations.
The respondents with knowledge of GDPR (74%) were asked to choose which Data Subject Rights requirements they felt that their businesses would have the most trouble complying with. Most of the respondents selected the Records of Processing (48.5%) requirement as presenting the largest challenge. This was followed by Accountability (41.2%), Consent (39.7%), Data Portability (39.7), and Right to Erasure (35.3%).
When asked what was preventing their organizations from becoming GDPR compliant, most respondents (45.6%) stated that their businesses were waiting to see what enforcement comes from the regulation, while 39.7% felt that their organizations lacked an understanding of the regulations. Additionally, 36.8% said that there wasn’t room in the budget to meet compliance. Others felt that they were at low risk (33.8%) for breaching compliance, while 27.9% were simply unconcerned.
Greg Sparrow, senior vice president and general manager at CompliancePoint says that “many smaller organizations may not be considering their GDPR risk exposure as seriously as they should be.” Sparrow also points out that “the survey data is concerning considering the number of U.S. businesses operating internationally, as well as the high number of businesses that lack knowledge and regulatory understanding in the case of GDPR.”
The responses to another question from the survey highlight another set of potential difficulties for these businesses. When asked how quickly their organizations could detect and respond to a data breach, one third suggested they could respond within 30 to 60 days or more, with another 8% unsure of what their detection and response capabilities are. With data breach laws now on the books in all 50 states, some of these organizations could find themselves out of compliance stateside as well.
If you are interested in learning more about the survey, feel free to visit CompliancePoint’s website.