Just days before the General Data Protection Regulation (GDPR) enters into its enforcement stage, IBM has released an interesting report called The End of the Beginning, which documents the results of its survey of 1,500 business executives across various industries in 34 countries concerning the EU’s groundbreaking Regulation. The survey was conducted in February and April 2018 and demonstrates that the GDPR already is having a positive impact in terms of information governance, privacy, and data security practices in many companies. But perhaps most importantly, the survey indicates that a majority of executives view the GDPR as a catalyst for important changes within their organizations, rather than a mere compliance issue, reflecting a maturation in the approach companies are taking to privacy and security issues.
The Good News
Only 36% of respondents see GDPR as a mere regulatory mandate. Instead 39% view the Regulation as a chance to transform their security, privacy, and data management efforts, and 20% thought it could be a catalyst for new data-led business models.
The Regulation is also driving improved information governance practices. Approximately 80% of companies are cutting back on the amount of personal data they collect and store, 70% are disposing of more data, and 78% are reducing the number of individuals who have access to data.
In addition, many executives think GDPR will create more consumer trust in their businesses. A large majority of respondents (84%) anticipate that GDPR compliance will be a corporate differentiator to the public, and 76% believe that the Regulation will improve relationships between businesses and consumers.
Among the factors identified as top enablers of GDPR preparation were clearly defining responsibilities early in the compliance process, taking a holistic approach across privacy, processes, and security, and C-suite and/or board support in driving the process.
The Bad News
Less than 40% of respondents believed that their companies would be fully compliant by the May 25 deadline, and 18% had not even begun their compliance efforts at the time of the survey. Major compliance stinking point were identified as: 1) locating data within the enterprise (data discovery) and ensuring data accuracy; 2) complying with data processing principles; 3) developing/updating privacy policies and notices; 4) obtaining data subject consents; and 5) appointing a Data Protection Officer (DPO).
The respondents also identified a number of going-forward uncertainties once the GDPR goes into effect. There was concern among 44% that the regulation could be modified or replaced in the near future, and 43% were worried about GDPR-related costs. Tactically, the respondents also expressed concern about ensuring data processor security controls and accommodating increased data subject access requests.