Pulse Survey: US Companies ramping up General Data Protection Regulation (GDPR) budgets


A recent PwC pulse survey asked C-suite executives from large American multinationals about the state of their plans for Europe’s landmark General Data Protection Regulation (GDPR). The “pulse” revealed five surprising results:

  1. Over half of US multinationals say GDPR is their top data-protection priority 
  2. Information security enhancement is a top GDPR initiative
  3. 77% plan to spend $1 million or more on GDPR
  4. Binding corporate rules are gaining popularity
  5. How US businesses are re-evaluating their presence in Europe

1) Over half of US multinationals say GDPR is their top data-protection priority

The EU reached agreement on the GDPR in December 2015, and in the last 12 months preparing for the new law’s obligations have jumped to the top of corporate agendas. Of the 200 survey respondents, 54% reported that GDPR readiness is the highest priority on their data-privacy and security agenda. Another 38% said GDPR is one of several top priorities, with only 7% said it isn’t a top priority.

2) Information security enhancement is a top GDPR initiative

Much of the discussion about the GDPR has focused on the law’s privacy-centric requirements, such as mandatory record keeping, the right to be forgotten and data portability. The GDPR’s relatively generic information-security obligations, however, figure prominently in GDPR plans of US companies.

  • Among the 23% of survey respondents who haven’t started preparing for GDPR, top priorities are data discovery, information security enhancement, third-party risk management and GDPR gap assessment.
  • Among the 71% who have begun GDPR preparation, the most-cited initiatives in flight are information security, privacy policies, GDPR gap assessment and data discovery.
  • Among the 6% who have completed GDPR preparations, the most-cited projects are information security, GDPR gap assessment, data discovery and third-party risk management.
  • IT re-architecture is lowest priority for companies in all three phases.

3) 77% plan to spend $1 million or more on GDPR

Securing a $1 million budget for data privacy has been more an exception than a rule for many American corporations. The GDPR’s potential 4% fine of global revenues, however, has changed budget appetites for mitigating this GDPR risk. While 24% of respondents plan to spend under $1 million for GDPR preparations, 68% said they will invest between $1 million and $10 million. Another 9% expect to spend over $10 million to address GDPR obligations.

4) Binding corporate rules are gaining popularity

The survey asked executives which EU cross-border data-transfer mechanism they planned to use for processing EU personal data outside of Europe. After the invalidation of the Safe Harbor agreement in October 2015, most Safe Harbor members implemented so-called model contractual clauses as a stop-gap measure.

Many observers, especially those in the legal community, thought model clauses would become the new norm. While 58% of respondents reported that future strategies would include model contracts, a stunning 75% said they will pursue binding corporate rules (BCRs), while 77% plan to self-certify to the EU-US Privacy Shield agreement. The uncertain future of both model contracts and the Privacy Shield may drive US multinationals to adopt two or even all three of these options to hedge their risks.

5) How US businesses are re-evaluating their presence in Europe

US corporations that are heavily invested in Europe will probably stay the course in the near term. Indeed, 64% of executives reported that their top strategy for reducing GDPR exposure is centralization of data centers in Europe. Just over half (54%) said they plan to de-identify European personal data to reduce exposure. The threats of high fines and impactful injunctions, however, clearly have many others reconsidering the importance of the European market. In fact, 32% of respondents plan to reduce their presence in Europe, while 26% intend to exit the EU market altogether.


Outlook: Striving to keep pace with the GDPR

American multinationals that have not taken significant steps to prepare for GDPR are already behind their peers. The typical large US corporation is currently moving through a data-discovery and assessment phase toward a multi-million-dollar remediation initiative that includes shoring up standard data-privacy and security capabilities in US operations. As European regulators in 2017 further clarify how they interpret the GDPR, more American companies are likely to re-evaluate the return-on-investment of their European initiatives.

Contact us

Jay Cline
Privacy Leader, Principal, PwC US
Tel: +1 (612) 596 6403

Carolyn Holcomb
Partner, Cybersecurity and Privacy
Tel: +1 (678) 419 1696

Joseph DiVito
Principal, Cybersecurity and Privacy
Tel: +1 (412) 980 9520

Jocelyn Aqua
Principal, Cybersecurity and Privacy
Tel: +1 (202) 730 4862

Follow us