55% of enterprises likely missed the GDPR deadline

Dr. French Caldwell

At the annual GRC Summit held in early June, MetricStream Chief Evangelist, Dr. French Caldwell, announced the findings of the latest MetricStream Research survey report, GDPR: Are Enterprises Ready to Protect Personal Data? The global survey gathered the perspectives of 120 respondents from 100+ enterprises and 20 different industries. Four primary areas of GDPR compliance were covered, including the state of GDPR awareness, preparedness, and readiness, as well as compliance challenges, benefits, and spend.

Key findings

Most enterprises did not expect to be fully compliant by the May 25 deadline
Only 39% of the respondents reported having a well-defined plan to be GDPR compliant by the May 25 deadline, while 5% reported that they were already compliant. The majority (55%) did not expect to make the compliance deadline. Of them, 17% had no clear compliance plan, while 38% expected to achieve only partial compliance.

Technology makes a big difference to GDPR readiness
More than half of the respondents (53%) who have implemented GRC solutions reported that they would be GDPR compliant by the May 25 deadline. On the other hand, only 40% of the respondents who use spreadsheet-based processes reported that they would meet the deadline.

70% of the respondents using GRC solutions for GDPR compliance also indicated being either confident or highly confident that their data protection program would stand up to legal scrutiny by regulators and courts. In comparison, less than a quarter of the respondents (23%) using spreadsheet-based processes, point solutions, or business process management solutions, reported similar levels of confidence in their data protection programs.

Readiness for an onslaught of data subject complaints and rights requests is low

GDPR gives data subjects multiple rights. Yet, fewer than 40% of the respondents reported that their enterprises are prepared or fully prepared to manage data subject complaints or requests around more complex rights, including the right to erasure, the right to restrict processing, and the right to data portability.

Other Findings

  • Just 50% of the respondents reported being ready to complete assessments of all third parties that have access to personal data by the May 25 deadline
  • 86% of the respondents expect their GDPR budgets to stay the same or increase
  • 66% of the respondents reported improved data governance as the biggest long-term benefit of GDPR compliance

“GDPR is finally here, and with it a fundamental change in how companies execute on good data governance,” said Dr. Caldwell. “While the first year of compliance is likely to be a period of adjustment, enterprises cannot afford to be complacent. Our research shows that those with a well-implemented GRC program will have an edge when it comes to meeting these new requirements. Technology will also be important in building a future-ready, sustainable GDPR program that will drive business success in 2018 and beyond.”