The results of a survey conducted by the Capgemini Research Institute has revealed that firms that companies seem to have greatly overestimated their level or preparation for the General Data Protection Regulation (GDPR) which was introduced just over 12 months ago on May 25 2018, with just 28% having successfully achieved compliance.

Capgemini surveyed over 1,000 compliance, privacy and data protection personnel, of whom 81% who stated that their company is GDPR compliant have experienced a boost for their branding, marketing and image due to achieving this level of compliance. A GDPR readiness survey was previously conduct by Capgemini in 2018, prior to GDPR becoming enforceable and 78% of companies questioned said that they felt they would be prepared by the time the regulation came into effect on May 25 2018.

This suggest that businesses have, worryingly, been slow to react to the new requirements more slowly than they expected due to a number of factors including costs. However the costs for being slow to adhere to GDPR could be much higher as the highest applicable financial penalty is €20m or 4% of annual global revenue for the previous calendar year – whichever figure is higher.

The new survey was conducted as part of the “Championing Data Protection and Privacy – a Source of Competitive Advantage in the Digital Century” report produced by Capgemini. It also revealed a range of other findings which make interesting reading for companies concerned about their levels of GDPR Compliance. They include:

Although over a year has passed since GDPR went into effect, the position of many enterprises remains uncertain in terms of compliance. While 28% of organizations say they have achieved compliance, just 30% of organizations are “close to” complete compliance but still actively resolving pending issues. Compliance was highest with companies in the US (35%), followed by the UK and Germany (both on 33%), and lowest in Spanish, Italian, (both on 21%) and Swedish companies (18%). Executives identified the challenges of aligning legacy IT systems (38%), the complexity of the GDPR requirements (36%) and prohibitive costs to achieve alignment with regulations (33%) as barriers to achieving full GDPR compliance.

The volume of queries from data subjects has also been extremely high: 50% of US companies covered by GDPR have received over 1,000 queries, as did 46% of French companies, 45% in the Netherlands and 40% in Italy. As organizations struggle to comply, they are actually making significant investments to fulfill the costs of increased professional fees to support GDPR alignment; 40% expect to spend more than $1m on legal fees and 44% on technology upgrades in 2020. In addition, organizations face a new challenge – the adoption of new legislation in different countries outside the European Union.

Compliance rates vary from country to country: Compliance was highest with companies in the US (35%), followed by the UK and Germany (both on 33%), and lowest in Spanish, Italian, (both on 21%) and Swedish companies (18%). The benefits of being GDPR compliant are greater than was predicted: Firms that are no GDPR compliant are missing out on business opportunities. 92% of GDPR compliant companies stated that they gained a competitive advantage over their business rivals. This figures was something that only 28% said they in the previous (2019) survey. 84% said GDPR compliance had a positive impact on customer trust, 81% on brand image and 79% on employee morale. Queries Registered from data subjects have been very high: 50% of US companies covered by GDPR have received over 1,000 queries, as did 46% of French companies, 45% in the Netherlands and 40% in Italy. Technology is a key enabler for compliant groups: Organizations compliant with GDPR, as opposed to non-complying businesses, have been more active in using cloud platforms (84% vs. 73%), data encryption (70% vs. 55%), Robotic Process Automation (35% vs. 27%) and industrialized data retention (20% vs. 15%). Additionally, while 82% of GDPR compliant organizations had move to see to it that their technology suppliers are GDPR Compliant, something just 63% of non-compliant companies could boast

Michaela Angonius, Vice President and Head of Group Regulatory and Privacy, Telia Company, speaking about the results of the survey, said: “GDPR is not something you will ever be done with. It is something that you need to work on continuously. We started raising awareness internally, long before the law was adopted. This was because we foresaw that this would be one of the biggest compliance projects that we would undertake in the company’s history.”

Also speaking about the publication of the report by his organization, Zhiwei Jiang, CEO of Insights & Data at Capgemini said: “This research underscores both the challenges for companies in achieving GDPR compliance, and the exciting opportunities for those that do. Clearly, many executives were over-ambitious in their expectations last year, and have now realized the extent of investment and organizational change that is required to achieve compliance: from implementing advanced technologies that support data protection to embedding a privacy and data protection mindset among employees. However, organizations must recognize the higher-than-expected benefits of being compliant, such as increased customer trust, improved customer satisfaction, strengthened employee morale, better reputation, and positive impact on revenue. These benefits should encourage every organization to achieve full compliance.”

Recent Fines Applied for GDPR Breaches