EU data law deadline: 62% of businesses still at high risk of non-compliance fines

With the new GDPR regulations coming into force just 12-months from now, research from Compuware reveals that the majority of retailers are still at risk of incurring costly non-compliance fines, despite organisations having made some progress since the same survey was conducted last year.

The global CIO study from Compuware Corporation, revealed that, despite making progress over the past 12 months,  the majority of European and U.S. businesses are still inadequately prepared to comply with the new EU General Data Protection Regulation (GDPR), due to be enacted next year.

  • Vast majority have no plan to comply with GDPR Only 27% of retailers have a detailed plan in place for how they will respond to the impact that GDPR will have on the way that they handle customer data.
  • Difficult to comply with the Right to be Forgotten 58% of retailers says they couldn’t guarantee they would be able to find all of a customer’s data if required – leaving them unable to comply with the GDPR’s ‘Right to be Forgotten’.
  • Modern IT services make GDPR compliance even harder– More than three quarters of retailers (76%) say the complexity of modern IT services means they can’t always know exactly where all their customer data resides, making it difficult to comply with the upcoming GDPR.
  • 67% of European organisations say they are well-briefed on the GDPR and the impact it will have on the way they handle customer data; an improvement from 55% when the same question was asked last year.
  • Of the 94% of U.S. organisations that possess European customer data, 88% claim to be well briefed on the GDPR and its impact on the way they handle that data; a significant rise from the 73% who responded affirmatively when asked the same question last year.
  • Only 38% of all respondents have a comprehensive plan in place for how they will comply with GDPR, leaving the majority at risk for non-compliance fines. This is only a slight improvement from the 33% who had a comprehensive plan in place last year.

However, the findings reveal that U.S. organisations are better prepared for the EU GDPR than their European counterparts. 60% of U.S. respondents with European customer data said they have a detailed and far-reaching plan in place, marking a slight rise from 56% that had plans last year. The UK was least prepared, with just 19% of organisations having a detailed plan in place, rising only slightly from 18% when the question was asked last year.

“Businesses are clearly heading in the right direction on GDPR compliance, but there is still a long way to go in a very short timeframe,” said Dr Elizabeth Maxwell, PDP, Technical Director, EMEA, Compuware. “UK businesses may be behind due to initial uncertainty over the impact of Brexit. But any organisation doing business in Europe will need to fall into line by the May 2018 deadline. Failure to comply could lead to devastating consequences should a data breach occur, something all too common given the growth of cybercrime and insider threats.”

Compliance hurdles

Identifying the areas of biggest concern, 56% of all respondents said that data complexity and ensuring data quality are the two biggest hurdles they will need to overcome to achieve GDPR compliance.

In addition, 75% of organisations said the complexity of modern IT services means they can’t always know where all customer data resides, whilst just over half (53%) said they could locate all of an individual’s data quickly, as will be required to comply with the “Right to be Forgotten” mandate included within the GDPR. Most worryingly of all, nearly a third (31%) admitted that, at present, they couldn’t guarantee they would be able to find all of a customer’s data.

“It will be impossible to comply with the GDPR’s ‘Right to be Forgotten’ if organisations can’t find customer data,” continued Maxwell. “Due to its security and scalability, most large organisations store most of their customer data on the mainframe. This data usually resides in a complex rabbit warren of databases spanning multiple systems, and organizations use manual, time-consuming methods to find and extract it. Businesses need an automated way to map and visualise data relationships, so they can quickly find the specific and relevant data and delete it, without needing specialist skills.”

Commissioned by Compuware and conducted by independent research company Vanson Bourne, the survey was administered to 400 CIOs at large companies covering a cross-section of vertical markets in France, Germany, Italy, Spain, the UK and the U.S.

This survey, conducted in April 2017, was a follow up to a similar survey conducted in 2016. Review the results of the 2016 GDPR research here: