Among US respondents, more than one-quarter (28%) say their organizations have only started operationalizing preparations and just about one in 10 say they have finished that work. In the UK, more than one-third of respondents have only begun making preparations, and 7% have finished. In Japan, just 13% say they have begun, and 6% have finished.
More than half of the respondents (55%) say they have not yet completed data processor accountability, which involves negotiating new GDPR contract addendums with vendors that process EU personal data. Large multinationals often maintain relationships with thousands of these types of companies.
In addition, 58% haven’t fully addressed GDPR data lifecycle management requirements, including minimizing the collection, use and retention of EU personal data. Large corporations doing business in Europe often maintain many such systems.
Further, 59% have not yet completed GDPR individual rights processing requirements, including the rights to be forgotten and data portability, among others. Engineering these rights requires substantial development and testing before moving the new capabilities into production.
Nearly half of all respondents (47%) plan to invest $1 million or more in GDPR compliance and monitoring, and nearly one-third (30%) plan to invest between $500,000 and $1 million.
Relatively more US respondents (55%) say they will invest $1 million or more, and 27% of US respondents say they will invest between $500,000 and $1 million. In both the UK and Japan, 42% plan to invest $1 million or more, and nearly one-third plan to invest between $500,000 and $1 million.
More than one-third (35%) say the chief information officer (CIO), chief technology officer (CTO), or IT chief is responsible for GDPR compliance, up from 24% of Wave 2 respondents who said the same.
Nearly one-third (30%) say the chief compliance officer is responsible for GDPR compliance, up from 27% of Wave 2 respondents.
Only 17% say GDPR compliance is the CEO’s responsibility, and less than 10% say it is the board’s responsibility. However, many of the respondents are CIOs, so the results might partly reflect CIOs adopting a “buck stops with me” approach to GDPR compliance, rather than CEOs or boards abdicating responsibility.
Two-thirds of retail respondents, and 58% of those in financial services, say they expect enforcement efforts to begin immediately. But more than three-quarters (77%) of telecom respondents say they expect compliance efforts to begin six months or longer after the deadline.
Nearly two-thirds of all respondents say their organizations will implement the internet of things (IoT) or advanced data analytics, while more than half (56%) plan to use artificial intelligence. Fully three-quarters of respondents from Japan say they will implement IoT. Among all respondents, 36% are planning to implement blockchain, and 30% are planning to implement robotics.