The European Union’s General Data Protection Regulation (GDPR) went into effect in 2018 and now, more than a year later, data from Capgemini Research Institute shows that companies are overestimating their readiness for the data protection and privacy rules, with only 28 percent of those surveyed having successfully achieved compliance. This is despite 78 percent of companies saying in a readiness survey last year that they would be in compliance by the time the regulation went into effect. However, while many organizations are falling behind, among those that are compliant, 81 percent say GDPR has had a positive impact on their reputation and brand image.
Capgemini’s “Championing Data Protection and Privacy – a Source of Competitive Advantage in the Digital Century” report finds that companies have responded to the new requirements more slowly than they expected, citing barriers including the complexity of regulation requirements, costs of implementation and challenges of legacy infrastructure. Meanwhile, a significant number of organizations are investing heavily in data protection and privacy to ensure compliance with existing regulations, and to lay the foundation for those to come.
While 28 percent of organizations say they have achieved compliance, just 30 percent of organizations are close to complete compliance but are still actively resolving pending issues. Compliance was highest with companies in the U.S. (35 percent), followed by the UK and Germany (both at 33 percent), and lowest among Spanish, Italian, (both at 21 percent) and Swedish companies (18 percent).
Executives identified the challenges of aligning legacy IT systems (38 percent), the complexity of the GDPR requirements (36 percent) and prohibitive costs to achieve alignment with regulations (33 percent) as barriers to achieving full GDPR compliance. The volume of queries from data subjects has also been extremely high: 50 percent of U.S. companies covered by GDPR have received over 1,000 queries, as did 46 percent of French companies, 45 percent in the Netherlands and 40 percent in Italy.
Organizations are making significant investments to fulfill the costs of increased professional fees to support GDPR alignment, with 40 percent expecting to spend more than $1 million on legal fees and 44 percent on technology upgrades in 2020. In addition, organizations face a new challenge in the adoption of new legislation in different countries outside the European Union.
Capgemini suggests that opportunities are being lost by companies that fail to achieve GDPR compliance. Of the organizations that have achieved compliance, 92 percent said they gained a competitive advantage, something only 28 percent expected last year. The majority of executives from firms that achieved compliance said it had a positive impact on customer trust (84 percent), brand image (81 percent) and employee morale (79 percent). Executives from compliant firms also identified positive second-order effects of implementing GDPR, including improvements in IT systems (87 percent vs. 62 percent that anticipated this in 2018), cybersecurity practices (91 percent vs. 57 percent) and organizational change and transformation (89 percent vs. 56 percent).
The survey also found a clear gap in technology adoption between compliant organizations and those lagging behind. Organizations compliant with GDPR, in comparison with non-complying organizations, were more likely to use cloud platforms (84 percent vs. 73 percent), data encryption (70 percent vs. 55 percent), Robotic Process Automation (35 percent vs. 27 percent) and industrialized data retention (20 percent vs. 15 percent). Furthermore, while 82 percent of GDPR compliant organizations took steps to ensure their technology vendors were compliant with relevant data privacy regulations, only 63 percent of non-compliant companies could said the same. A majority (61 percent) of the compliant organizations said they audit sub-contractors for data-protection compliance, compared to 48 percent of non-compliant companies.
“The GDPR is not something you will ever be done with. It is something that you need to work on continuously,” says Michaela Angonius, vice president and head of group regulatory and privacy, Telia Company. “We started raising awareness, internally, long before the law was adopted. This was because we foresaw that this would be one of the biggest compliance projects that we would undertake in the company’s history.”
Zhiwei Jiang, CEO of insights and data at Capgemini, adds, “This research underscores both the challenges for companies in achieving GDPR compliance and the exciting opportunities for those that do. Clearly, many executives were over-ambitious in their expectations last year, and have now realized the extent of investment and organizational change that is required to achieve compliance: from implementing advanced technologies that support data protection to embedding a privacy and data protection mindset among employees. However, organizations must recognize the higher-than-expected benefits of being compliant, such as increased customer trust, improved customer satisfaction, strengthened employee morale, better reputation and positive impact on revenue. These benefits should encourage every organization to achieve full compliance.”