With GDPR in force for five months, 56% of companies are still not compliant — and 19% say they will never be, according to the IAPP-EY Annual Privacy Governance Report.
Yet they are spending money on compliance — an average of $1.3 million to date, with an additional $1.8 million spend expected.
And some GDPR challenges do not seem as daunting as they did last year. Rated on a difficulty scale from one to 10, data portability has fallen from 6.3 to 5.3.
And gathering explicit consent has declined from 5.9 in 2017 to 4.6 this year.
However, U.S. firms are still struggling with some of those requirements. For instance, they rate consent as 5.5% in difficulty and the right to be forgotten as 6.6.
American firms are more daunted by deleting customer data and access requests.
Overall, 76% say GDPR has motivated them to delete data, and 21% plan to do so in the near future.
In addition, 75% have appointed a data protection officer, although 48% say this is to perform a valuable business function as much as it is to deal with the law.
Of the European firms, 89% have named a DPO, while 67% of the U.S. respondents have done so. But U.S. firms are more likely than their EU counterparts to have a chief information security officer.
Almost 60% of the privacy leaders at companies have taken on the DPO responsibilities themselves.
The research also found that 25% have changed data processors in response to GDPR, and 30% are considering future changes.
Of the vendors polled, however, only 7% say they have lost processing business.
Of the average GDPR spend, 33% has gone into staff, 22% to tech solutions, 18% to outside counsel, 15% to consultants and 12% to training. However, 79% cite training as their leading GDPR investment priority for this year.
Despite the GDPR spending, the average privacy budget has fallen from $2.1 million last year to $1 million.
This is largely due to large firms cutting back now that they have spent large amounts on the GDPR preparation cycle, the report states.
The study also found that full-time privacy staffs have grown to a mean of 10 people. Oddly, B2B marketers are more likely than B2C marketers to have full-time privacy professionals on board.
Of the companies polled, 83% report GDPR status compliance to their boards, but 68% report data breaches -- down from 80% in 2016.
The IAPP surveyed 550 privacy processionals who subscribe to its Daily Dashboard. Of that sample, 76% feel their firms fall under GDPR.