Corporate GDPR preparations to stretch past May 2018

Six insights from PwC's third GDPR pulse survey

1. A wave of companies has only just begun GDPR preparations a few months before the regulation’s deadline.

Among US respondents, more than one-quarter (28%) say their organizations have only started operationalizing preparations and just about one in 10 say they have finished that work. In the UK, more than one-third of respondents have only begun making preparations, and 7% have finished. In Japan, just 13% say they have begun, and 6% have finished. 

Stagnated progress

2. Companies are furthest from completing GDPR preparations in three workstreams -- data processor accountability, data lifecycle management, and individual rights processing -- that can take a year or longer to complete.

GDPR program components

More than half of the respondents (55%) say they have not yet completed data processor accountability, which involves negotiating new GDPR contract addendums with vendors that process EU personal data. Large multinationals often maintain relationships with thousands of these types of companies.

In addition, 58% haven’t fully addressed GDPR data lifecycle management requirements, including minimizing the collection, use, and retention of EU personal data. Large corporations doing business in Europe often maintain many such systems.

Further, 59% have not yet completed GDPR individual rights processing requirements, including the rights to be forgotten and data portability, among others. Engineering these rights requires substantial development and testing before moving  the new capabilities into production.

3. Most companies are budgeting for ongoing maintenance of their GDPR programs into their next fiscal years.  

Nearly half of all respondents (47%) plan to invest $1 million or more in GDPR compliance and monitoring, and nearly one-third (30%) plan to invest between $500,000 and $1 million.

Relatively more US respondents (55%) say they will invest $1 million or more, and 27% of US respondents say they will invest between $500,000 and $1 million. In both the UK and Japan, 42% plan to invest $1 million or more, and nearly one-third plan to invest between $500,000 and $1 million. 

Substantial ongoing investments

4. CIOs -- who often manage multiyear enterprise program plans -- increasingly are taking responsibility for GDPR compliance.

Ongoing accountability

More than one-third (35%) say the chief information officer (CIO), chief technology officer (CTO), or IT chief is responsible for GDPR compliance, up from 24% of Wave 2 respondents who said the same.

Nearly one-third (30%) say the chief compliance officer is responsible for GDPR compliance, up from 27% of Wave 2 respondents.

Only 17% say GDPR compliance is the CEO’s responsibility, and less than 10% say it is the board’s responsibility. However, many of the respondents are CIOs, so the results might partly reflect CIOs adopting a “buck stops with me” approach to GDPR compliance, rather than CEOs or boards abdicating responsibility.  

5. Most companies believe that GDPR enforcement efforts will kick in immediately after the May go-live date, spurring additional GDPR spending.

Two-thirds of retail respondents, and 58% of those in financial services, say they expect enforcement efforts to begin immediately. But more than three-quarters (77%) of telecom respondents say they expect compliance efforts to begin six months or longer after the deadline.

Expected enforcement

6. Many companies are planning in the coming year to implement technology that will require significant additional work to remain compliant with GDPR.  

Technologies impacted by GDPR

Nearly two-thirds of all respondents say their organizations will implement the internet of things (IoT) or advanced data analytics, while more than half (56%) plan to use artificial intelligence. Fully three-quarters of respondents from Japan say they will implement IoT. Among all respondents, 36% are planning to implement blockchain, and 30% are planning to implement robotics.

Contact us

Jay Cline
Privacy Leader, Principal, PwC US
Tel: +1 (612) 596 6403
Email

Stewart Room
Partner, Global Head of Cyber Security & Data Protection, PwC US
Tel: +44 (0) 7711 588 978
Email

Follow us