Vast majority consider themselves on track to be compliant but most don’t have dedicated resources.
The vast majority of FTSE 350 and Fortune 500 believe they are well on track when it comes to complying with GDPR regulations – underestimating the enormous task facing them.
A survey of 100 FTSE 350 General Counse and Chieft Security Officers, and 100 Fortune 500 GCs and CSOs by law firm Paul Hastings found that 98% of Fortune companies consider themselves to be on track for GDPR, whilst 94% of FTSE companies say the same.
Although steps are being taken to move in the right direction, over half of companies across the UK and US are extremely unlikely to be ready in time for the May 2018 deadline.
According to the research only 43% are setting up an internal GDPR taskforce (39% in the UK and 47% in the US), whilst a third are hiring a third-party to conduct a GDPR gap analysis (tied at 33% for US and UK) and one one in three is hiring a third-party consultant or counsel to assist with compliance (33% UK and 37% US).
There’s also some serious concern when it comes to hiring a Data Privacy Officer, which is a crucial requirement for any business that is involved in the ‘large scale monitoring of individuals.’ The hiring of a DPO or additional privacy staff has only been actions by 29% of GCs/CSOs, with only 18% of Fortune 500 companies hiring and only 10% of UK companies allocating a budget for GDPR compliance.
Behnam Dayanim, partner and global co-chair of the Privacy and Cybersecurity practice at international law firm Paul Hastings, said: “Achieving GDPR compliance is an enormous task – one that in our experience almost inevitably requires dedicated resources and budget. Against that backdrop, the confidence among major corporations revealed in our survey seems mismatched with those same businesses’ reports of their implementation efforts.
“With so few companies undertaking key compliance measures to date, it will be a race to the finish line for those needing to meet the terms of this wide-reaching regulation. This unfortunately seems to be setting up a scenario for multiple investigations and enforcement activities once the implementation date arrives.”