With the deadline a month away, only 40% of companies worldwide are prepared for the EU's General Data Protection Regulation (GDPR), according to a study released on Tuesday by Crowd Research Partners.
The main obstacle is lack of expert staff. But lack of budget is also a factor. And while none cite it, attitude may also be an issue: A fifth say GDPR is not a priority, and almost that many try to avoid notifying anyone in the event of a data breach.
“What is striking is the lack of GDPR expertise and an overall underestimation of the effort required to meet GDPR, which represents the most sweeping change in data privacy regulation in decades,” states Holger Schulze, CEO of Cybersecurity Insiders.
Cybersecurity Research Partners surveyed 531 IT, cybersecurity and compliance professionals.
Of the firms represented, only 7% are fully prepared, and 33% are well along the way. And 32% say they have initiated the process but do not feel they will meet the deadline. Another 28% have developed plans, but have not done much else.
The laggards are facing a long haul — 41% say it will take them a year or more, while 12% believe it will take 48 months and 14% believe it will take even more time.
At the same time, only 34% overall see GDPR as one of their top three priorities. In addition, 46% list it as one of a number of goals. And 20% say it is not a priority.
One area that needs improvement is having a process in place to notify authorities of a data breach. Of those polled, 43% always notify clients and authorities, but 42% do not. Another 15% have a process, but try to avoid notification.
Of the 11 chapters in the GDPR rulebook, the one that troubles firms the most is on the rights of the data subject — 42% cite it as a concern. Next is oversight of controllers and processors, listed by 37%.
When asked about specific articles of GDPR, 53% say they are most concerned about the right to be forgotten and erasure. Nothing else comes close.
However, companies don’t expect many access requests from data subjects — 50% expect to get them from only 10% of their base, and a mere 10% anticipate a 40% DSAR rate.
As for data storage, 41% store it on-premise, 24% in a hybrid environment, 22% in a hosted data center and 11% in the public cloud.
Meanwhile, 28% say their firm’s security practices will see a substantial change. But 56% say there will be only minor change, and 16% say there will be none.
The study also found that 56% expect their firm’s data governance budget to grow, and 39% for it to remain flat. And 5% foresee a decrease.
As part of their compliance efforts, 71% are making an inventory of user data and mapping to protected EU GDPR categories, and 49% are evaluating solutions to enable users to exercise their data rights.
Here is the list of obstacles to GDPR compliance: