Companies that take a multi-disciplined approach in preparing for the European Union’s General Data Protection Regulation (GDPR) are further along in the process than their counterparts, according to a PwC survey of executives preparing for GDPR. Furthermore, companies that include their CEOs in the process are more likely to be done with preparations, or nearing the finish line.
In Part 1 of our coverage of the survey results, we examined how companies are closer to compliance than they were last fall when we first evaluated this criteria. The fact is that budgets are increasing as they move forward. The survey of 300 CPOs, CIOs, general counsels, chief compliance officers, and VPs in related departments at US, UK, and Japanese companies with a European presence shows progress, but for many companies, significant work remains.
Looking deeper into the numbers, we found that how companies approach GDPR programs – and who is involved in the process – can make a difference.
Having top executive support is critical for GDPR programs because the new law, set to take effect in May 2018, touches many parts of most companies. Indeed, surveyed corporations who acknowledge the CEO’s responsibility in GDPR preparations are further along in the process than their counterparts, with 44% reporting they have finished their preparations. By contrast, among companies in which the CIO, CTO, or the head of their IT department is ultimately responsible for GDPR preparations, only 31% say they have finished. The number is even lower – 15% -- for companies that say their chief compliance officer or head of compliance spearheads the effort.
While companies that hold CEOs ultimately responsible for their GDPR preparations are farther along, most companies hold other executives accountable. According to the survey, more than half hold their chief compliance officer, head of compliance, CIO, CTO, or head of IT responsible. Only 17% hold their CEOs ultimately responsible. As the May 2018 deadline for compliance draws closer, companies that remain behind in their preparations should consider shifting accountability for their preparations to the highest level.
To fully prepare for May 2018, companies must have a comprehensive approach across all impacted areas. Our survey shows many companies are leaving out – at least for now – key divisions as they prepare for GDPR. While 79% of companies say they have involved their IT department, 58% have involved data privacy and 56% have involved compliance, significant gaps remain. Just 26% say human resources is involved, and communications and marketing functions lag behind as well. A statistically insignificant number of surveyed companies had engaged business units impacted by GDPR, suggesting that there is considerable time for multinationals to use GDPR readiness as a market differentiator.
As companies with operations in Europe roll out their GDPR programs, their progress across the ten GDPR workstreams PwC typically observes varies greatly. Half of companies surveyed reported they have finished implementing GDPR programs for their information security function, and another 38% said they have started implementation. The numbers are similar for the strategy and governance, individual rights processing, and policy management workstreams. That said, just over a third report having completed their cross-border data strategy, training and awareness, and data lifecycle management workstreams. Indeed, four of the five workstreams showing the least progress typically involve significant impact to the technology and product environment, which ordinarily consume more time and resources to address.