Why only one in three organizations are GDPR compliant -- and the risks they're facing as a result Watch Now

Under one in three organisations are fully compliant with the General Data Protection Regulation, despite the privacy legislation coming into force across Europe almost a year and a half ago.

Consultancy firm Capgemini surveyed over 1,000 compliance, privacy and data protection personnel and found that despite three quarters of them having previously been confident about being compliant by the time GDPR came into force in May 2018, that isn't the case in reality and many are still struggling to adhere to the legislation.

Now just 28% of those surveyed believe they're fully GDPR compliant – despite regulators being willing to issue heavy fines.

SEE: IT pro's guide to GDPR readiness (free PDF)

The UK's Information Commissioner's Office (ICO) has already issued a record fine of £183m to British Airways for what it concludes to be "poor security arrangements", which led to personal data of half a million customers being stolen by hackers in a cyberattack disclosed in September 2018.

"For many organisations, the true size of the GDPR challenge only became apparent as they began the initial projects to identify the applicable data that they held. As a result, only the most focused organisations had completed their GDPR readiness by the time the legislation came into force," Chris Cooper, head of cybersecurity practice at Capgemini, told ZDNet.

Businesses that aren't yet compliant with privacy legislation point to a number of obstacles that prevent them from being so. Chief among those is legacy IT systems, with 38% of those surveyed suggesting that their current IT landscape isn't aligned to the complexities of GDPR.

Meanwhile, 36% believe the requirements of GDPR are too complex and require a lot of general effort to implement, while one third of respondents say that the financial costs of achieving alignment with GDPR are too prohibitive.

Not only are businesses that remain non-compliant putting themselves at risk of falling victim to a data breach and the financial and reputational damage that could create – alongside the financial cost of a regulator fine – they're also holding themselves back from the benefits that compliance can bring.

The Capgemini survey found that of those organisations that are fully GDPR-compliant, 92% of executives from these firms believe that being so has given them a competitive advantage by enabling them to improve customer trust, customer satisfaction and brand image, with all of this helping to boost revenue.

GDPR-compliant organisations also point to benefits behind the scenes, with around four in five of those surveyed of the opinion that being compliant with data protection regulation has helped improve IT systems and cybersecurity practices throughout the organisation.

"Organisations need to promote a data protection and privacy mindset among employees and integrate advanced technologies to boost data discovery, data management, data quality, cybersecurity, and information security efficiencies," said the report.

"Firms that take these actions proactively – and view data protection and privacy regulation as an opportunity – will secure a significant competitive advantage".

SEE: GDPR one year later: The challenges organizations still face

An ICO spokesperson also told ZDNet that GDPR can help organisations improve how they operate and the way they're perceived by clients and customers.



"We want organisations to focus on how data protection law can help them to get it right and enhance their reputations by earning people's trust and confidence, rather than how they might be punished if they get it wrong."

Organisations should also note that data protection is an ongoing issue that needs to be repeatedly reexamined: just because an organisation was compliant on a certain date, that doesn't mean it shouldn't continue to examine how it handles data – because complicity could easily result in future trouble.

"The introduction of GDPR was not a deadline but the start of an ongoing process and there is a lot more work to be done. That said, we will not hesitate to act in the public's best interests when organisations wilfully or negligently break the law," said an ICO statement.

MORE ON DATA PROTECTION