Companies and the Race for GDPR Compliance

By Brodie Bavidge, Updated: 2022-04-19 (published on 2019-12-19)

Image by David Bruyland from PixaBay

As we slowly enter 2020, during the year of 2019, numerous studies have been conducted with the objective to see just how far companies fare in regards to their GDPR compliance efforts. As fines and penalties are still being issued from various data protection regulators in their respective countries, it may be suggested that companies, ranging from multinational corporations to SMEs, are still struggling to be fully compliant with the GDPR.

In this blogpost, we take a look at several key studies done by various types of organisations, the numbers in their findings, and how it all shapes the race for compliance.

GDPR compliance looked at from a glance

A study conducted by RSM in July of 2019, looked at 300 companies across 34 countries within Europe, who had previously been engaged with the European Business Awards. The aim was to look at the different struggles companies faced on their compliance efforts.

The research found that a significant number of companies continue to struggle keeping up with the GDPR. In fact, the report found that one in three companies in Europe were still not GDPR compliant, over 1 year after its enforcement. The report also revealed that only 57% of businesses were confident that their business had followed the obligations set out by the GDPR, while 13% were still very unsure about their efforts. The results also showed that medium-sized businesses and enterprises (SMEs) were “struggling to understand and implement” GDPR compliance efforts. Further key takeaways of the report are:

• 38% of businesses did not necessarily understand when consent is needed to hold and process data
• 35% were not sure how they should monitor their employees’ use of personal data
• 34% did not understand what measures are needed to ensure third party supplier contracts are GDPR compliant
21% admitted that they still have not implemented a cyber security strategy

However, the study also indicated a positive effect: 73% of businesses stated that with the GDPR’s implementation, they have been encouraged to further improve the way they handle customer data.

As the data above suggests what the GDPR compliance efforts for businesses in Europe look like as of 2019, the compliance efforts of companies operating outside the EU, but cooperating in any way with anyone or any company located in the EU, also must adhere to the data privacy regulation. Moreover, the RSM report had also focused on SMEs within Europe. So, what if take a look from a further perspective, and see what research says on how the race for compliance looks like outside the EU, and include larger companies who may also face similar struggles.

Image by Pete Linforth from Pixabay

Taking a closer look into the numbers and details behind compliance efforts

In September of 2019, the Capgemini Research Institute published a study that included the results of a research done on over 1,000 privacy, compliance, and data protection personnel across 8 business sectors: insurance, banking, consumer goods, utilities, telecom, public services, healthcare and retail. This study was conducted in a similar scale as the companies involved in the research were headquartered in France, Germany, Italy, the Netherlands, Norway, Spain, Sweden, the UK, but this time had also included the US and India.

The report revealed that despite a significant number of businesses having been confident about their GDPR compliance efforts by the time the GDPR had come into force back in May 2018, 75% of the respondents admitted that they were still struggling with their compliance efforts.

It was found that only 28% of companies had successfully achieved compliance, which was put in contrast to a “GDPR readiness survey” that was conducted back in 2018, where 78% of the businesses expected to be fully prepared by the time the GDPR was enforced.

The results of the survey indicated that compliance was highest with companies from the US with 35%, followed by the UK & Germany (who were both on 33%). The lowest percentage of compliance ratings were from Spain & Italy (who were both on 21%) and Sweden (18%).

Furthermore, the report revealed common obstacles that caused problems for a company’s compliance efforts:
• 38% stated that they had challenges with aligning legacy IT systems to that of the GDPR requirements
• 36% struggled with the complexity of obligations and requirements that had been set out
• 33% indicated that there were costs related issues that hindered further compliance efforts
Volumes of data subject requests had also been revealed as a struggle for the companies. It was found that a significant number of companies in different countries had received 1,000+ data subject requests. Namely:

 The US (50%)
 France (46%)
 the Netherlands (45%)
 Italy (40%)

On a positive note, the results showed that 81% of businesses stated that their GDPR efforts has given a positive impact on reputation and brand image as well.
The two studies discussed above give an initial impression on the kinds of struggles companies big or small face while on the race to compliance. As the GDPR continues to demand appropriate data privacy and data protection measures being taken by companies, the next study sheds light on some of the common measures that had been taken. Not only does the study highlight these measures, but it is also conducted on a larger group.

In it to win it: Compliance efforts analysed from an even broader scope

Also published in September of 2019, a research done by McDermott, Will & Emery along with Ponemon Institute had been conducted that involved over 1,200 companies in a much broader scope. The research not only looked into companies in Europe and the US, but also included Asia, namely China and Japan as well. The study reflected upon difficulties faced by the businesses and was based upon reactions from individuals who work in a variety of their respectful company’s departments which include: IT, cybersecurity, compliance, data protection, privacy, and legal. The results showed that only 18% of respondents were confident in their ability to communicate a data breach to appropriate authorities within 72 hours of initial awareness, and 50% admitted that they had encountered at least one data breach.

Another significant finding from the study is that US based companies experienced and reported more GDPR related cyberattacks (45%) compared to:

 Europe (34%)
 China (31%)
 Japan (38%)

Also a notable point would be that Japan based companies used external cybersecurity services to investigate their GDPR related cybersecurity issues with 47% compared with:

 Europe (40%)
 the US (44%)
China (25%)

Also finishing on a positive note, the study found that 90% of the respondents say their company has appointed a Data Protection Officer (DPO) and 54% stated that their company has even appointed an EU representative. These results were especially highlighted as there is a notably strict criteria for appointing DPOs and EU representatives as well.   

With a clear understanding on some of the compliance efforts certain companies have put in place, it can be suggested that the GDPR continues to keep companies in and outside the EU proactive when it comes to data privacy and data protection.

What will the race to compliance look like?

As we enter 2020, several resources such as the studies and the ongoing GDPR fines being issued, suggests that data privacy will be the most important issue in the next decade. Will more companies fall behind in the race and ultimately, fall under the harsh penalties from the GDPR? Or will they continue to take the appropriate measures in ensuring GDPR compliance, and keep up in the race?

This article does not constitute legal advice.

The opinions expressed in the column above represent the author’s own.

Start managing your legal needs with Zegal today

Brodie BavidgeWritten by Brodie Bavidge of PrivacyPerfect. PrivacyPerfect is one of the first high-end privacy compliance software providers on the market. 

READ MORE: 8 GDPR Compliance Tips Explained Through Queen Songs

RELATED READING: How Is GDPR Reshaping The Internet?

Article syndicated with permission from

PrivacyPerfect is a renowned legal-tech organisation headquartered in The Netherlands, providing privacy compliance solutions to an international market successfully for nearly a decade now.

They provide our clients with a proven software solution for easy GDPR compliance, that simplifies privacy related tasks and makes the regulatory compliance process easier and smoother. Their high-end software provides a solution for all primary data privacy needs, empowering privacy professionals worldwide with built-in smart automation, to perform their tasks easier, quicker, more accurately, and more efficiently.

They believe in the people-process-technology methodology, and keep this on top of mind in everything they do, from product development, through our sales efforts, to client management.

Tags: Data Privacy | data protection | GDPR | GDPR compliance | UK

Like what you just read?

Subscribe to our newsletter and be the first to hear of the latest Zegal happenings, tips and insights!