Almost half of all businesses weren’t ready for GDPR when it took effect last year. And they may not be set up for the California Consumer Privacy Act (CCPA), although most say they will be, according to the Cost Of Continuous Compliance, a study by DataGrail.
Of the firms surveyed, 93% have begun to prepare for the CCPA and 66% expect to be ready in six months. The law will be implemented next January. But many are concerned about challenges such as anonymizing data, training employees and updating privacy policies.
As for GDPR, 51% were compliant with it by the May 25th deadline in 2018, and 31% by the end of that year. The remainder were still not up to speed when this survey was conducted in April, although 14% expected to be compliant by this month and 4% by the end of 2019.
But there has been a cost to compliance: 34% of the firms have spent from $100,000 to $499,999 on consulting and technology to adapt to GDPR, and 21% have spent from $500,000 to $999,999.
In addition, 14% have laid out $1 million to $4,999,999, and 5% have topped $5 million. Only 20% have paid $50,000 to $99,999 and 6% have paid less than that.
Money isn’t the only need. The average company spent between 2,000 and 4,000 hours in meetings preparing for the new law — over a year’s worth of work. And 49% of the decision makers spent 80 hours personally preparing themselves. At enterprise companies.
It’s no easy job. Of the companies surveyed, 58% are receiving 11+ data subject requests per month, and 28% are getting 100 or more. And 58% have at least 26 employees working on the requests, although that’s no guarantee of success: 84% have a process in place to prevent human error.
In preparing, firm sent thousands of emails or alerts to manage those requests. But each touch increased the magnitude of risk, the study notes.
Despite the technology investments, almost half are encumbered by questionnaires and email-based workflows.
To cope with GDPR, 58% purchased commercial technology solutions and 57% developed internal systems. But 70% feel those systems will not scale as they are burdened with new regulations such as the California Consumer Privacy Act. Another 50% retained outside consultants and lawyers.
However, 50% feel the CCPA is too complex or vague, and 49% say they cannot effectively run workflows across multiple systems or services. In addition, 49% see no clear path for achieving compliance. Most had the same concerns about GDPR.
The most daunting requirements are right of access (50%), right of data portability (49%), right to incentive notice (39%), right to notice (36%) and right to opt out (34%).
On the positive side, less than half expect to purchase a technology solution. What are they doing? Employee training (61%), new privacy and process creation (53%) and internally developed technology (49%).
Worried about compliance? DataGrail urges you to do the following (and we quote):
DataGrail worked with research firm Marketcube to survey 301 privacy professionals and decision makers within affected companies.