Given their location and customer base, it would be safe to assume that European companies are further along the GDPR compliance path than US companies, would it not? To test this hypothesis, Dimensional Research surveyed privacy professionals in both the US and UK to compare their attitudes toward privacy compliance in general, and GDPR readiness in particular.
I’ve spent the last two decades in the privacy and security industries and from where I stand, GDPR is a manifestation of the fundamentally different views of data protection we’ve seen for years, tracing back to historical and geopolitical reasons. No matter how difficult GDPR compliance might seem to US and other non-European organizations, the new regulation is designed to impart an unprecedented level of data protection and it’s here to stay.
Looking at the findings from the US and UK surveys, there are a few findings that I find particularly noteworthy.
UK and US companies are equally unprepared for GDPR
When it comes to privacy management in general, the overwhelming majority across the board feel that the complexity and importance of managing privacy at both UK and US companies is becoming more complex (93% UK, 98% US).
Looking specifically at GDPR, findings show that UK companies are not any more prepared for GDPR than their American counterparts. Among both UK and US privacy professionals, more than 60% of respondents have not begun their GDPR implementation and 90% need to invest in additional capabilities to comply with the new standard. One of those capabilities is technology, which half of both UK and US respondents cited as one of the top three areas they need in order to comply with GDPR.
At its core, I believe companies are struggling to comply with GDPR because we’re dealing with a phenomenon that’s new in data protection, namely the use of data. In today’s data-driven business models data touches literally everything from marketing to IT to legal to finance.
Organizations are familiar with securing data, giving employees and other users all the access they want to that data as long as it’s done behind the perimeter but with GDPR, we’re looking at a whole new set of regulations applied to how data is not only stored but also transferred and used, as well as potential legal and compliance ramifications.
Now, the real question is how can companies use the data they harness to further their business, yet remain compliant. Compared to securing data, that’s a much more complex task as it involves reengineering complete data processes and environments. As such, it’s no wonder companies are struggling to become GDPR ready no matter if they’re European or not.
A greater number of US companies expect to invest significant amounts of money to comply with GDPR. 83% of US privacy professionals expect GDPR spending to be in the six figures, whereas 69% of their UK colleagues expect to spend that much money to become compliant with GDPR. Among large companies, the difference is even starker with only 6% of UK privacy professionals expecting to spend more than £740K. As many as 25% of privacy professionals at large US companies expect to spend the equivalent amount of money – a hefty $1M.
It’s likely that the bigger sense of familiarity of EU laws among UK privacy professionals is creating a false sense of comfort when it comes to accurately plan and prepare for GDPR. By the same token, spending differences can likely be attributed to US privacy professionals requiring more consulting investments to comprehend and plan for legal and compliance regulations, whereas more UK companies are skipping parts of their planning phase to opt straight to invest in the technology solutions that will help them put a GDPR-ready process in place.
What about Brexit?
As the scope and timing of the British exit from the EU are still determined, some hesitation toward when and how to comply with the GDPR is to be expected among UK companies. Though there’s no consensus as to how Brexit will impact UK company compliance requirements, a significant amount of UK privacy professionals report that they are planning to make some kind of a change to their GDPR planning based on Brexit.
While a third of UK respondents report that their GDPR compliance program will remain intact, the rest cite that they are either moving their data centers outside of the UK (24%), reducing their investment in GDPR implementation programs (26%), or putting their GDPR plans on hold entirely until they can determine the impact of Brexit and the proposed UK Data Protection Bill on the GDPR (26%).
Another 27% cite that they are appointing a Data Protection Officer (DPO) outside of the UK. DPOs are in high demand and hard to come by, making them a strategic investment and resource. A common strategy, therefore, among US and other non-European companies is to hire and place their DPO in a European subsidiary. In light of that, the relatively low number of UK companies thinking strategically about their DPO placement is a bit surprising and one that we’ll likely see increase as UK companies continue to adapt to their non-EU reality.
So where does this leave us in answering my original question: “Are UK companies better prepared than US companies for GDPR?” Based on survey data, neither UK nor US privacy professionals feel very prepared for GDPR. Though fewer UK companies deem it necessary to make large investments in resources to comply than their US colleagues, a clear majority of them will do so.
Across both sides of the ocean, privacy professionals have let us know that privacy management is becoming harder and that they need to invest time and money in solutions such as new technology to prepare and comply with regulations like GDPR. So regardless of nationality, we as an industry have to collectively ensure that we’re delivering the resources privacy professionals require to comply in order to keep our data safe and protected. That is the only responsible, legal and business focused direction that will succeed in the future.