In a surprise finding, North American companies -- not Europeans -- currently are the most fully compliant with the EU’s General Data Protection Regulation (GDPR), according to findings of a survey of security decision-makers released today by Forrester Research.
The study finds that three months before the new rules become effective, 33% of North American companies are fully compliant, while only 26% of European companies are. At 29% each, both Latin American and Asia-Pacific companies also are currently more fully compliant than European companies.
This indicates that overall less than a third of impacted companies are compliant with just over ninety days before we reach "Go." And a substantial minority don't expect to be compliant at the outset. The stats are based on internal management assessments, not outside auditors. So are these figures reliable enough? That European firms are relative laggerds shouldn't be a surprise, given how the EU enforces rules. Pressure and penalties ahve been commonly applied to non EU companies first, while EU firms are somewhat sheltered. Penalties fall most harshly on the large US companies. Just ask Alphabet and Facebook.
It's unlikely that the companies claiming compliance are really so. EU and US privacy and consumer NGOs will ensure there is effective compliance and enforcement. Companies must reflect the letter--and spirit--of the GDPR.
There is also the strong potential of compliance bias.
That is, those in charge who were contacted for this survey and who have done the hard yards and already comply with GDPR or are well on the way to complying with GDPR, are probably more likely to respond to the survey than those who are not currently compliant and those who probably won't be compliant by the deadline. My suspicion is that these data are likely to be inflated.