With a few months left before European regulators start enforcing the EU’s General Data Protection Regulation (GDPR), firms around the world are getting ready for the new requirements. While the headlines of the last six months tormented us with the news that companies are largely and deeply unprepared for GDPR, our data shows a more encouraging — and complex — picture.
There Is Good Progress, But There Are Also Missteps, And A Lack Of Awareness Persists
Whether running a substantial compliance program or just making small adjustments, many firms worldwide are working toward GDPR compliance, and data from the Forrester global data security survey shows that:
One in three firms believes they are GDPR-compliant today — but they may not be. Our data shows that nearly 30% of companies globally are fully GDPR-compliant today. However, based on our qualitative research, we believe that just a portion of these firms have actually engaged in data discovery and classification exercises as well as built data flow maps and run gap analysis. Instead, many firms have taken a piecemeal approach to GDPR, which is mainly focused on requirements that rely primarily on IT to meet specific compliance requirements, such as the requirements for data breach notification. These approaches are short-sighted, and most likely will need radical revision after the enforcement of GDPR rules start in May.
European companies are the most pessimistic about their readiness. In Europe, 26% of firms report that they are fully GDPR-compliant. This number is the smallest across geos; nonetheless, it’s still high. As we consider this evidence, we also must bear in mind that GDPR is a principlebased regulation, and to determine whether they are compliant, companies must judge whether their risk mitigation strategies are effective and in line with GDPR requirements. In many cases, this is not a simple black-or-white assessment. To make this even more difficult, also consider that many firms still find the interpretation of many GDPR requirements unclear today. Our data shows that another 22% of European firms expect to be GDPR-compliant within 12 months.
Too many firms still believe that GDPR doesn’t apply to them. GDPR has extraterritorial effect. This means that companies that are not physically present in the EU have to comply with the rules. In particular, if firms sell products or services to the European market, or if they collect data on Europeans to build profiles, for example, they fall within the scope of the rules. GDPR applies to companies that directly engage in data collection and that define the guidelines for processing activities as well as to firms that process data on behalf of their clients and strictly follow their directions. Therefore, the percentage of companies not affected by GDPR is small. Unfortunately, our data suggests that more guidance is necessary to help firms correctly access their status under the new rules