With only one month remaining before the EU's General Data Protection Regulation (GDPR) goes into effect, many organizations are still scrambling to be in compliance. That could result in hefty fines and legal consequences for the majority of the 448 institutions surveyed by KPMG Global Legal Services. More than half (54%) reported that they are not in compliance.
According to the senior legal counsels who participated in the survey, one of the Achilles' heels for compliance preparedness is third-party vendors. Even the commercial suppliers of those companies that collect data from customers protected by the regulations need to be GDPR compliant, yet the survey found that an overwhelming majority of businesses have not confirmed whether their down-line vendors are adhering to the regulations.
"Surprisingly, many businesses haven’t looked at their supply chain as a potential risk for GDPR compliance. This is particularly challenging for global organizations, with thousands of suppliers, and could be costly if not addressed with the appropriate rigor needed under the GDPR," said Juerg Birri, KPMG's global head of legal services.
An additional obstacle that many organizations face is that many boards do not understand or take seriously the full impact of these new regulations. Of the businesses that reported having board-level support, 69% have appointed a data protection officer, 55% document all of their data processing activities, and nearly half (49%) feel their employees are mostly or fully aware of their obligations under GDPR.
Other recent surveys report similar findings. Technology industry association CompTIA recently conducted a survey of 400 US companies on their GDPR readiness and found that only 22% of firms have started developing their compliance plans. “Confusion about the regulations remains a significant problem for many companies,” said Todd Thibodeaux, CompTIA president and CEO.
According to a CompTIA press release, "About one-third of the firms surveyed do not believe GDPR will have an impact on their current or future approach to business in the EU. Another third indicate GDPR may negatively impact their desire to engage in business activities in countries governed by GDPR. The remaining one-third of firms are unsure."
Only 13% of those companies surveyed by CompTIA reported being fully compliant with GDPR.