- Businesses in more regulated industries, such as healthcare, public sector and financial services, are farther ahead in GDPR compliance than media and retail companies, many of which are still in the early stages of becoming compliant, according to a Forrester report.
- Almost 30% of companies report being in full compliance with the upcoming regulations while 16% reported partial compliance. About 20% expect to reach compliance sometime in 2018. Forrester expressed reservations that companies claiming to be compliant are not because only a portion have "actually engaged in data discovery and classification exercises as well as built data flow maps and run gap analysis."
- Many firms not located in the European Union do not think GDPR will apply to them, but given its extraterritorial effect "the percentage of companies not affected by GDPR is small." This means many companies may require more guidance to understand how the regulations might impact their industry and firm, reports Forrester.
The road to compliance is not made easier by the fact that GDPR is rather vague. It sets out standards companies need to meet, such as tying collected information to specific individuals, but it does not say how to do these things.
Companies can ease the burden with a "GDPR program manager" to oversee the operation side of compliance, as well as by involving all involved teams from the beginning, investing in continuous compliance solutions and executing clear strategies and governance models, according to the report.
Although compliance and noncompliance both come with heavy costs, potentially up in the millions, noncompliance ultimately is far riskier for a company, from an economically and reputation perspective. In Europe, where the impact and knowledge of the regulation is more potent, the pessimism in compliance levels speaks to the burden it places on data controllers and processors.
But looking at compliance at the individual company level is not enough. Contractual pressures are sure to push more companies toward compliance, because a company is only as compliant as other companies it works with that handle its data.