Although two years' notice of compliance with GDPR compliance is given, only half of the companies themselves reported in accordance with May 25, 2018, show a DataGrail survey.
"Age of Personality: The Cost of Continuous Compliance" report refers to the operational impact of the European Data Protection Regulation (GDPR) and the Consumer Protection Law in California, and to share insights into experience and attitudes to privacy rules.
DataGrail investigated more than 300 US decision-makers on privacy including IT, operations, security, legal and risk and compliance professionals.
"Companies without a European presence were not affected by GDPR. But with CCPA, US companies without GDPR are rapidly approaching the same challenges faced by multinational corporations with GDPR," said Daniel Barber, co-founder and CEO of DataGrail.
"Most companies reported taking at least seven months to achieve GDPR readiness, but now with CCPA only seven months away, they realize that their systems do not support CCPA and other upcoming privacy policies. Companies need to integrate and operationalize their privacy management to avoid the time-consuming and faulty manual processes to comply with these rules. "
GDPR compliance took longer than expected
- Only half of the companies achieved self-reported compliance before May 25, 201
- Most companies took seven months or longer to obtain readiness.
Even GDPR readiness is expensive
- Two-thirds of companies awarded dozens or even hundreds of employees to manage GDPR compliance. Based on survey results, it is likely that the average organization spent 2000-4000 hours in meetings preparing for the GDPR – more than a full year's work.
- Half of the privacy decision makers spent at least 80 hours personally preparing the GDPR and another 80 hours to maintain compliance – also a full month of work.
Privacy requests are time-consuming and erroneous.
- Half of businesses use manual processes to handle GDPR's privacy claims, such as the right to be forgotten.
- Two-thirds of businesses have processed at least 100 requests over the past year, across dozens of business systems and third-party services, and most of them have at least 25 employees involved in query management. There are thousands of touch points with the potential to introduce human error – the overwhelming majority of privacy staff work to reduce the risk of manual errors in these requests.
CCPA compliance programs face the same challenges as GDPR programs
- Two-thirds of privacy professionals believe it will take less than six months to prepare for CCPA, although most reported it took seven months or longer to prepare for GDPR. Even worse is the technology procedure for CCPA lower than for GDPR. Companies primarily train employees to manage privacy regulations – increased cost and risk of ongoing compliance.
Businesses will be challenged by the future of privacy
- Most companies approach the privacy rules on a case-by-case basis; two-thirds of privacy professionals agree that the systems they have introduced do not support new rules.
- 90% of companies plan to employ at least three new employees for the next two years to manage privacy, but only one-third of companies automatically update their data inventory.
"This study shows that most businesses still rely on piecemeal technology solutions and manual processes to address privacy solutions specifically built for privacy protection," Barber.
"As companies make their attention from GDPR to CCPA and beyond, they must operate consistently to reduce risk, provide transparency for their customers and control operating costs."