Most FTSE 350 and Fortune 500 companies are underestimating whether they will be able to fully comply with the upcoming General Data Protection Regulation (GDPR) by May 2018, new research by international law firm Paul Hastings has shown today.
The survey of 100 FTSE 350 General Counsel (GCs) and Chief Security Officers (CSOs) and 100 Fortune 500 GCs and CSOs reveals 98% of Fortune companies consider themselves to be on track for GDPR, with 94% of FTSE companies saying the same.
In both markets, although steps in the right direction are being taken, over half of companies across the UK and US aren’t readying themselves in time. Only 43% are setting up an internal GDPR taskforce (39% in the UK, 47% in the US), a third are hiring a third-party to conduct a GDPR gap analysis (33% across both locations) and only one in three is hiring a third-party consultant or counsel to assist with compliance (33% in the UK, 37% in the US).
Despite being one of the crucial requirements for GDPR compliance for any business involved in the ‘large scale monitoring of individuals’, hiring a Data Privacy Officer or additional privacy staff has only been actioned by 29% of UK GCs/CSOs and even fewer Fortune 500 companies (18%). More significantly, only 10% of UK companies have allocated budget for GDPR compliance.
Behnam Dayanim, partner and global co-chair of the Privacy and Cybersecurity practice at international law firm Paul Hastings, said: “Achieving GDPR compliance is an enormous task – one that in our experience almost inevitably requires dedicated resources and budget. Against that backdrop, the confidence among major corporations revealed in our survey seems mismatched with those same businesses’ reports of their implementation efforts.
“With so few companies undertaking key compliance measures to date, it will be a race to the finish line for those needing to meet the terms of this wide-reaching regulation. This unfortunately seems to be setting up a scenario for multiple investigations and enforcement activities once the implementation date arrives.”
The EU’s General Data Protection Regulation (GDPR) is coming into force in May 2018 and will affect any business which controls or processes the data of EU citizens, regardless of where the business is located. As part of the wide-reaching regulation, businesses can be fined up to 4% of global turnover should they fail to comply with GDPR.