Data Driven Futures

More than a year on, 28% of firms are GDPR compliant

Written by Peter Walker
27/09/2019

Over a year on from the introduction of the General Data Protection Regulation (GDPR), the Capgemini Research Institute has found that companies vastly overestimated their readiness for the rules, with just 28 per cent having successfully achieved compliance.

This is compared to a GDPR readiness survey last year which found that 78 per cent expected to be prepared by the time the regulation came into effect in May 2018.

However, organisations are realising the benefits of being compliant, with 81 per cent saying GDPR has had a positive impact on their reputation and brand image.

The research surveyed 1,100 senior executives, at director level and above, spread across eight sectors: insurance, banking, consumer products, utilities, telecom, public services, healthcare, and retail. It covered executives in companies headquartered in: France, Germany, Italy, Netherlands, Norway, Spain, Sweden, UK, US, and India. Capgemini also conducted interviews with industry leaders and experts, examining the current status and impact of data privacy regulations.

The report found that companies have responded to new requirements more slowly than they expected, citing barriers including the complexity of regulation requirements, costs of implementation and challenges of legacy infrastructure. Meanwhile, a significant number of organisations are investing heavily in data protection and privacy to ensure compliance with existing regulations, and to lay the foundation for those to come.

While 28 per cent said they have achieved compliance, just 30 per cent were 'close to' complete compliance, but still actively resolving pending issues. Compliance was highest with companies in the US (35 per cent), followed by the UK and Germany (both on 33 per cent), and lowest in Spanish, Italian, (both on 21 per cent) and Swedish companies (18 per cent).

Executives identified the challenges of aligning legacy IT systems (38 per cent), the complexity of the GDPR requirements (36 per cent) and prohibitive costs to achieve alignment with regulations (33 per cent) as barriers to achieving full GDPR compliance.

The volume of queries from data subjects has also been extremely high: half of US companies covered by GDPR have received over 1,000 queries, as did 46 per cent of French companies, 45 per cent in the Netherlands and 40 per cent in Italy.

As organisations struggle to comply, they are actually making significant investments to fulfil the costs of increased professional fees to support GDPR alignment: 40 per cent expect to spend more than $1 million on legal fees and 44 per cent on technology upgrades in 2020.

Opportunities are being lost by companies which fail to achieve GDPR compliance, according to the report. Of the organisations that have achieved compliance, 92 per cent said they gained competitive advantage, something only 28 per cent expected last year.

The vast majority of executives from firms which achieved compliance said it had a positive impact on customer trust (84 per cent), brand image (81 per cent) and employee morale (79 per cent).

Executives from compliant firms also identified positive second-order effects of implementing GDPR, including improvements in IT systems (87 per cent versus 62 per cent who anticipated this in 2018), cybersecurity practices (91 per cent vs. 57 per cent) and organisational transformation (89 per cent vs. 56 per cent).

The survey found a clear gap in technology adoption between compliant organisations and those lagging behind. Those compliant with GDPR, in comparison with non-complying organisations, were more likely to be using cloud platforms (84 per cent vs. 73 per cent), data encryption (70 per cent vs. 55 per cent), Robotic Process Automation (35 per cent vs. 27 per cent) and industrialised data retention (20 per cent vs. 15 per cent).

Furthermore, while 82 per cent of GDPR compliant organisations had taken steps to ensure their technology vendors were compliant with relevant data privacy regulations, with only 63 per cent of non-compliant companies able say the same.

Zhiwei Jiang, chief executive of insights and data at Capgemini, commented: “Clearly, many executives were over-ambitious in their expectations last year, and have now realised the extent of investment and organisational change that is required to achieve compliance: from implementing advanced technologies that support data protection to embedding a privacy and data protection mindset among employees.

"However, organisations must recognise the higher-than-expected benefits of being compliant, such as increased customer trust, improved customer satisfaction, strengthened employee morale, better reputation, and positive impact on revenue."