New Report Shows GDPR Compliance Is 'More Like a Marathon Than a 100-Yard Dash'
A report from McDermott Will & Emery and the Ponemon Institute finds that GDPR compliance is still a ways off for many organizations.
May 04, 2018 at 12:00 PM
3 minute read
The original version of this story was published on Legal Tech News
A new survey sponsored by McDermott Will & Emery and conducted by the Ponemon Institute found that 40 percent of nearly 1,000 U.S. and European companies polled do not expect to meet General Data Protection Regulation (GDPR) compliance requirements by May 25.
Companies have struggled over the last few years to figure out even what GDPR compliance is. Forty-seven percent of those polled said they did not know where to begin their path to compliance.
Despite the high levels of anxiety that companies seem to feel around GDPR preparedness, especially given the regulation's steep fines for noncompliance, McDermott partner Mark Schreiber finds the number of companies who do not believe they will be prepared for GDPR compliance by the deadline “unsurprising.”
“What we're beginning to realize is that May 25 is not a stopping point. It's in some respects just a beginning,” Schreiber said. The race toward GDPR compliance, Schreiber said, “is going to be more like a marathon than a 100-yard dash.”
Although many companies have been making steady progress toward GDPR compliance for the last couple years, Schreiber said some others simply miscalculated the intricacies of the new regulation. “There are a lot of others who didn't quite appreciate the complexity and demands of what GDPR would take,” he noted.
In Schreiber's more than 20 years working in data privacy, the GDPR may be the most complicated regulatory shift he's seen to date. “It has innumerable pieces to it that are just beginning to be understood,” he said.
While Schreiber noted that the May 25 deadline for GDPR compliance is important, companies are increasingly aware that compliance isn't a goal you meet, but an ongoing process. “These obligations are going to go on for years with a number of new adjustments and modulations, further investment and compliance. It's not a one-stop, one-point-in-time obligation,” he said.
The study found that financial services, technology and energy sector companies lead the pack of those who planned to be compliant before the May 25 date, with about 60 percent of companies in each industry reporting likely compliance by the effect date. Companies in less highly regulated spaces, such as retail and manufacturing, were less likely to be compliant by the deadline.
Size also factored into a company's potential GDPR preparedness. Midsized companies, between 5,000 and 75,000 employees, were generally far more confident in their GDPR preparedness than either small companies or large companies.
Schreiber explained that both small and large companies face different kinds of challenges to GDPR preparedness. “If you're very small, you probably don't have the resources,” he noted, adding that large organizations conversely are tasked with trying to cover GDPR compliance across a huge set of different business functions.
For companies of all sizes, however, Schreiber sees a long road ahead for GDPR compliance, far beyond May 25. “It's literally going to create an entirely new regime. It'll have good points, it'll have struggles, but it's really demanding, and I think that's what everyone is learning,” he said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllBeyond the Courtroom: Protecting High-Profile Clients From Online Smear Campaigns and Cyber Threats
6 minute readAs AI-Generated Fraud Rises, Financial Companies Face a Long Cybersecurity Battle
AI Adoption, Data Center Building Boom Opening More Doors for Cybercriminals, Many of Them Teenagers
Trending Stories
- 1The Fearless Forecaster’s Employment Law Predictions for 2025
- 2Judicial Conference Declines Democratic Request to Refer Justice Thomas to DOJ
- 3People in the News—Jan. 2, 2025—Eastburn and Gray, Klehr Harrison
- 4Deal Watch: Latham, Paul Weiss, Debevoise Land on Year-End Big Deals. Plus, Mixed Messages for 2025 M&A
- 5Bathroom Recording Leads to Lawyer's Disbarment: Disciplinary Roundup
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250