• by Ray Schultz , Columnist, July 12, 2018

Almost all companies have made some strides toward GDPR compliance. But U.S. firms lag behind those in the UK and EU, although they spend the most money on it, according to GDPR Compliance Status, a study from TrustArc, conducted by Dimensional Research. 

Some 25% of U.S. firms allocate at leapt $1 million on GDPR compliance, versus 10% in  the UK and 7% in the EU.

Among all firms, 31% plan to make substantial investments in technology, and 49% expect to make fairly large investments.

Still, 27% of the EU outfits are compliant, compared with 21% of the UK firms and 12% of U.S. firms. But large percentages have started their implementation — 26% in the UK and 22% apiece in the EU and the  U.S. Only 4% have not begun the process. Overall, only 20% are fully compliant. 

What’s more, 56% of U.S. firms expect to be fully compliant this year. And a majority — 68% have spent six figures to date on GDPR, and 27% have shelled out seven figures, with 1% spending more than $5 million. And roughly the same percentages expect to spend the same this year.

Overall, 20% are fully compliant 

Reasons for compliance seem to be the same across all regions. The first one — cited by 59% of firms in the U.S. 58% and 54% in the UK — is to meet customer expectations and requirements. The second reason is to support company values.

TrustArc points out that those goals far outweigh fear of fines or class action lawsuits, with percentages hovering around 40% 

But obstacles remain.  U.S. firms are more likely to blame insufficient budgets, at 40% versus 30% in the UK and 28% in the EU.

An ever bigger concern is the complexity of the regulation, which is daunting for 72% in the EU, 69% in the U.S. and 58% in the UK.

Overall, 48% also complain about a lack of knowledge or understanding of what to do, 45% complain of shortages of qualified staff and 42% complain about access to technology tools.

But IT staff are more likely to specify the complexity of the regulation — at 69%, compared with 64% of legal staff.

Legal team members are the first ones to gripe about access to technology tools — 58%, versus 30% of IT staff — and insufficient budget (40% to 26%) 

Of all the respondents, 27% say they are fully compliant regarding updated policies and procedures, and 25% with cookie consent management. In addition, 22% are up to speed concerning individual rights.

But only 13% have fully completed a vendor risk management program, and 165 with international data transfer mechanisms.

Overall, 65% say GDPR has had a positive impact on their business.

Finally, 59% say maintaining GDPR compliance is their main privacy initiative, and 43% state that their main priority is to demonstrate GDPR compliance.