• by Ray Schultz , September 18, 2019

American companies have been hit with many data breaches that must be reported under GDPR, judging by Keeping Pace in the GDPR Race, a global study sponsored by the law firm McDermott Will & Emery and MWE China Law Offices, and conducted by the Ponemon Institute.

Of the companies polled worldwide, half have had data breaches that must be reported under GDPR. Such incidents were reported to regulators by 39% of U.S. firms, as well as 43% of those in the EU, 36% in China and 33% in Japanese.

Yet only 18% are confident in their ability to communicate a data breach to regulators in the required 72-hour time frame. And 54% say GDPR was more difficult to implement than they expected. 

On average, U.S. firms suffered 2.49 breaches that were reportable under GDPR, versus 2.24 for EU companies, 2.10 for Japanese companies and 2.07 for those in China.

Overall, the leaks were due to these causes:

• Negligent insider — 45%
• Outsourcing data to a third party — 42%
• Cyber attack — 39%
• Systems glitch — 31% 
• Failure to protect actual documents — 19% 
• Malicious insider — 12% 
• Data lost in physical delivery — 10% 
• Do not know — 35% 

Despite these issues, 46% of U.S. companies say that compliance with GDPR will help in adhering to the California Consumer Privacy Act and other state laws. Of EU firms, 35% agree, as do 30% of Japanese companies and 27% of Chinese businesses.

Moreover, 43% of U.S. companies say that complying with the CCPA and other state laws will cause them to re-evaluate their position under GDPR.

Of the U.S. companies, 51$ give the same rights under GDPR to both U.S. and EU employees. 

Among the companies surveyed 1,263 individuals who work in IT, security, compliance, legal and data protection offices.