PwC’s second survey of executives about their preparations for the European Union’s General Data Protection Regulation (GDPR) has found that many companies are closer to compliance than they were in Fall 2016 – and budgets are increasing as they move forward.
The survey polled 300 CPOs, CIOs, general counsels, chief compliance officers, and VPs in related departments at US, UK, and Japanese companies with a European presence. The study revealed five significant changes compared to our baseline tally in November 2016.
With GDPR set to go into effect in May 2018, 11% of executives surveyed said their companies have now finished operationalized preparations. This tally is almost double the 6% that were finished last year. On the opposite side of the spectrum, the number of companies that have yet to even begin preparations has shrunk dramatically, from 23% last fall to just 7% in the most recent survey.
Significant gaps remain, however. Of the companies surveyed, 36% said they have just started the assessment process, meaning their journey toward GDPR readiness has just begun. As a result, these organizations risk not being fully compliant by the May 2018 deadline, facing regulator fines, litigation costs, and lost contract opportunities in Europe.
Compared to the UK and Japan, companies in the US have made the most progress toward compliance. Almost a quarter, or 22%, of US companies surveyed say they have finished GDPR preparations, compared to just 8% of UK companies and 2% of Japanese companies.
As companies ramp up their GDPR programs, budgets are expanding. Of the companies who said they have finished preparations, 88% reported spending more than $1 million on GDPR preparations and 40% reported spending more than $10 million. The pattern of increased spending was consistent regardless of company size.
Among all companies, 60% said they plan to spend at least $1 million on GDPR preparation projects and 12% plan to spend more than $10 million. The expanding budgets reflect many companies’ commitment to a cross-functional approach, as at least one-third of executives surveyed said their companies have completed preparations in each of PwC’s 10 standard GDPR implementation areas – with the information security, strategy and governance, and individual-rights processing workstreams leading the way.
US companies are further along in cross-functional areas than their counterparts in UK and Japan. Japanese companies, in particular, lag behind in several key areas, including data-lifecycle management, for which roughly one-in-five Japanese companies surveyed reported they have finalized implementation of preparations. Japanese companies are similarly behind in areas such as training, cross-border data strategy, and privacy incident management.
Although Japanese executives report they are behind in several key GDPR preparation areas, they expect to spend significant amounts of money to catch up. The survey found 77% of Japanese companies plan to spend at least $1 million on GDPR projects, compared to 62% of US companies, and just 43% of UK companies.
Because GDPR’s requirements are deep and complex, preparing for the new regulation requires buy-in and support from across an organization, including in areas are not used to dealing with privacy issues. In response, many companies plan to use external firms to help with their preparation.
Among executives polled in this survey, 69% said they plan to use a technology firm to help with their preparations, 62% plan to hire a consulting firm, and 46% plan to hire a law firm. Roughly two-thirds of larger companies – those with greater than $500 million in revenues – say they will hire a consulting firm.
The growing probability that at least some companies will not have completed their GDPR projects by the May 2018 deadline has apparently created an opening for companies who are positioning to make the date.
The survey found that some companies see their GDPR programs as a potential differentiator in the market. Among companies who have finished their GDPR preparations, 38% have engaged their investor relations departments, a potential indicator that they hope to highlight early compliance to help drive a competitive advantage.
In our next post, we’ll take a deeper look at some of the results from this survey, including which roles companies hold responsible for GDPR compliance, the impact of CEO involvement, and how companies are faring across the 10 major GDPR implementation areas.