GDPR awareness, readiness and compliance in the US, UK and Belgium

The GDPR (General Data Protection Regulation) represents a massive change in personal data protection and privacy. In combination with the ePrivacy Regulation it is changing the EU privacy and security landscape completely.

While the GDPR text has been published, the ePrivacy Regulation isn’t final yet. However, achieving GDPR compliance is a massive task and time runs out. Companies across the globe who process personal data of EU ‘data subjects’ (as the GDPR impacts them too) are taking measures. Yet, we often hear how many aren’t prepared at all. So, how ready are companies really? We take a look at GDPR awareness and compliance initiatives in the US, the UK and Belgium, where most EU organizations are.

Only 47 percent of UK businesses are aware of the GDPR

You can imagine that larger and data-intensive firms are somewhat more impacted by the GDPR than the average small business that processes personal data of EU citizens on a limited scale. For many large organizations there is more work, not just on the levels of strategy and processes but also regarding roles and responsibilities. Quite some larger and data-intensive firms will need to appoint a Data Protection Officer or DPO, for instance.

General Data Protection Regulation 2017 - eye-opening facts and findings on GDPR readiness

GDPR awareness and readiness in the UK

There is a real rush to launch educational sites on the GDPR, conduct surveys, often indicating that many companies are far from ready and in too many cases not even aware enough about the GDPR, and content regarding the steps to take (which also depends on the individual organization).

As the GDPR involves various strategic steps, with GDPR awareness as first step, it’s pretty scary to see that even in the area of awareness ABOUT the General Data Protection Regulation there is still a lot of work.

UPDATE: according to March 2017 research by  Crown Records Management, 24% of UK businesses stopped preparing for GDPR due to Brexit.

According to research by three companies who joined forces and want a piece of that GDPR compliance pie too, in the UK for instance only 47 percent of businesses are aware of the GDPR.

Knowing that enforcement of the GDPR starts on May 25th, 2018, instead of in the Summer of 2016 as we reported a year ago and assuming the data are correct, this looks indeed like a troubling situation and GDPR awareness needs a boost. The three companies who conducted the survey of approximately 2,000 IT pros are LogRhythm, Gigamon, and Forescout Technologies.

On February 23rd, 2017, the UK DMA (Direct Marketing Association) came with some GDPR readiness data too. The DMA reported that a quarter of businesses are not ready for GDPR, with B2B marketers being the worst in class.

The finish line for GDPR readiness is fixed and the risk to businesses of not being compliant is significant. Our advice is to continue preparations in earnest over the coming year. Not making it across the line in time is not an option. (Chris Combemale, CEO of the DMA)

However, two things to point out: 1) whereas the before mentioned survey asked IT professionals, the DMA asked marketers and 2) the 26 percent of marketers who say they are not ready say they BELIEVE they are not ready. So, hard to tell.

68 percent of marketers said they would be ready when the Regulation comes into force. We suppose that the other 32 percent don’t handle personal data from EU citizens and/or don’t think the GDPR will ‘happen’. Or maybe they can afford the fines or simply don’t know and it’s really to the IT professionals to know. A really small minority of marketers (5 percent) said GDPR compliance was not their responsibility.

Obviously, the mentioned firms are not the only ones who want to get you prepared for the GDPR. There are literally hundreds. Again assuming that the data from the mentioned research are representative for the UK, there is better news from the US, at least if you find awareness and compliance regarding the GDPR good news.

US multinationals: GDPR compliance as a top priority

According to a survey by PwC, being compliant with the GDPR is the top data protection priority for 54 percent of US multinationals and one of several priorities for another 38 percent.

Doing the math: that’s a total of 92 to 93 percent (we can count but the numbers after the comma miss and apparently 7 percent said GDPR compliance isn’t a top priority).

54 percent of US multinationals plan to de-identify European personal data to reduce GDPR risk exposure - source PwC GDPR preparedness pulse survey
54 percent of US multinationals plan to de-identify European personal data to reduce GDPR risk exposure – source PwC

Obviously it’s hard to compare both mentioned surveys (different audiences). The fact that GDPR compliance is big business (remember Y2K?), becomes clear if we know that, according to the PwC preparedness pulse survey, 77 percent of respondents plan to spend $1 Million or more on GDPR. Maybe not fair in the eyes of the government and companies but then again; it’s a lot of spending in the EU as well and, after all, personal data are worth something nowadays, aren’t they? One can hardly imagine a digital economy without in an age where data is a business asset beyond belief.

PwC also detected 5 “surprising” results, of which we just mentioned two: 1) the fact that it’s a top priority and 2) the budget fact.

Other results from the PwC preparedness pulse survey:

For US multinationals information security improvement is a top GDPR initiative, despite the rather generic security obligations in the GDPR.

Other priorities include data discovery, GDPR gap assessment, third-party risk management and privacy policies.

Next, there is the fact that binding corporate rules are gaining popularity.

75 percent of respondents said they will pursue binding corporate rules in EU cross-border data transfers and 77 percent intend to self-certify for the Privacy Shield Agreement, around which there is some nervousness in the relationships between the US and the EU.

A final surprising result, or rather set of results, concerns the ways US businesses re-evaluate their European presence.

But we invite you to read more about that – and more findings in the PwC report (PDF opens).

What about the EU? GDPR awareness and readiness in Belgium

What about the EU countries themselves? We take a look at Belgium, which is one of the two countries where most European institutions are.

40% of Belgian organizations has no privacy program or strategy, only 30% assessed compliance with current local pre-GDPR legislation (via PwC)

Our gut feeling turned out to reflect the truth: there is no reason whatsoever to point fingers at non-EU countries when it boils down to GDPR readiness. On January 31st, 2017, PwC released the results of a survey. This time the firm had looked whether Belgian organizations are ready for the General Data Protection Regulation.

To cut a long story short: Belgian organizations aren’t ready (at all). A majority of organizations, PwC said, is still working to prepare for the Regulation and quite a bit haven’t even started yet.

Some findings:

  • 40 percent of polled organizations has not yet set up some privacy program, let alone strategy.
  • Only 30 percent has assessed compliance with the current (!!) Belgian Data Protection Act.

Even if 67 percent of respondents said they were already taking one of the GDPR principles, ‘privacy by design’ into account (opening our eyes very widely when comparing with the facts), the picture is a rather dark one.

By the looks of it the message of the GDPR hasn’t been understood yet nor the erosion of trust as, once more, is at a record low according to Edelman’s 2017 Trust Barometer.

When the GDPR is there and breaches are going to be made public soon after they occur, many people will be in for a surprise. And these aren’t even our words but those of Zhiwei Jiang, Global Head of Financial Services, Insights & Data at Capgemini in a February 2nd, 2017, press release from Capgemini which found that just one in five banks and insurers are confident they could detect a cybersecurity breach (Jiang sees the GDPR as an inhibitor of more transparency in the industry).

EU General Data Protection Regulation - summary of some key GDPR changes - attention - read the details
EU General Data Protection Regulation – summary of some key GDPR changes – attention – read the details

To conclude a bit of opinion: if we see these findings and how companies, in Belgium and the EU too, look at the importance of personal data from a value perspective but not yet from a ‘consumer’ or ‘people’ perspective we can only understand that firms are rushing to create awareness and get a piece of the pie but, more importantly, that the GDPR is needed if we want this digital market thing moving on without continuing to lose trust.

GDPR infographic by Varonis - source and more information
GDPR infographic by Varonis – source and more information

All the mentioned companies in this overview have their GDPR-specific landing pages and/or resources with insights and overviews. Here are some:

Apologies to the many others we haven’t mentioned here but, again, it’s a big big GDPR world out there. More resources on our GDPR page.

And of course, there is always the homepage of the GDPR by the EU itself with a somewhat weird looking and in our view not really necessary countdown timer.

Top image: Shutterstock – Copyright: Gajus – All other images are the property of their respective mentioned owners.