New GDPR risk assessment finds that 84 percent of US respondents expect to be ready
The TrustArc/IAPP survey looked at perceived risk for non-compliance of 11 GDPR requirements by US and UK firms.
With GDPR Day — May 25, 2018 — now less than seven months away, companies are beginning to assess the risks of not complying with the new European Union regulation.
To help focus their thoughts, security/compliance firm TrustArc (formerly TRUSTe) and the International Association of Privacy Professionals (IAPP) surveyed almost 500 privacy professionals in the US and the UK and prepared what it says is the first report to measure perceived GDPR risk, “GDPR Non-Compliance Risks and Mitigation Strategies.” Interestingly — and contrary to some other studies — this research found that 84 percent of US respondents expect to be GDPR-ready no later than May 2.
Interestingly, more of their European counterparts might be late, since a quarter of EU respondents say their companies won’t be ready by GDPR Day. TrustArc SVP of Marketing and Product Management Dave Deasy told me via email that European companies cite “inadequate budget” as the key reason for possible delays, while US companies point to the regulation’s complexity.
The survey’s questions addressed the perceived risks of not complying with 11 specific compliance risks of GDPR, and what actions are being taken:
The top risk for all respondents: failing to prepare for a data breach notification, with failure to conduct data inventory and mapping coming in a close second. Deasy pointed out that data mapping is not a GDPR requirement per se, but is needed to assess data types, uses and retention.
Among US respondents, the top GDPR risk was not complying with requirements for international data transfers.
The top action to lessen risk, the privacy pros said, is to invest in employee training on data protection and privacy.
The respondents, surveyed in September and October, were chosen from subscribers to the IAPP Daily Dashboard. Those who said they didn’t think GDPR applies to them — many in government, and accounting for about 12 percent — did not complete the survey. The represented companies were distributed among firms of various sizes, from fewer than 100 employees to over 75,000.