Shutterstock.

A majority of companies view the General Data Protection Regulation in the European Union as a source of opportunity that can help them improve privacy and data security, according to the results of a survey released Wednesday from IBM's Institute for Business Value.

Fifty-nine percent of respondents to the survey agreed that the GDPR is a chance “for transformation or a spark for new data-led business models.” The remaining 41 percent of respondents viewed the GDPR as just another set of regulations requiring compliance.

The survey was conducted between February and April of 2018 and drew feedback from 1,500 executives, including chief privacy officers and GCs, in 34 countries and across 15 industries.

The expansive GDPR will go into effect May 25—it will set up new privacy and security requirements for companies processing data belonging to EU citizens. Noncompliant companies face fines of up to 20 million euros or 4 percent of the company's worldwide revenue from the prior year, whichever is higher.

Cindy Compert, CTO, data security and privacy, IBM Security, pointed out in an email that the GDPR is coming into effect during a time where consumers have shown distrust in the handling of their data.

“The results show that companies are connecting the dots between consumer sentiment around data privacy and GDPR, with the vast majority (84 percent) acknowledging that GDPR compliance can be viewed as a positive differentiator to the public,” Compert said in the email.

Compert said that the other companies are looking for a simple checklist, but GDPR is “more directional” and that it may be viewed as burdensome.

“Many of the requirements of GDPR are open to interpretation rather than prescriptive—for instance, implementing an 'appropriate level of security.' Additionally, we often see that those responsible for GDPR have been directed to 'go implement GDPR' without direction or executive oversight, or if the organization is not collaborating well, they may not be informed on what other parts of the organization are doing,” Compert said.

Despite the majority of respondents showing enthusiasm for the GDPR, only 36 percent said they will be fully compliant with the GDPR in time for the deadline later this month. Forty-seven percent said they have begun efforts to comply with the GDPR and 18 percent of respondents said they had not begun compliance efforts, but planned on doing so before May of this year.

Compert described coming into compliance with the GDPR as a huge undertaking and one that takes time.

“Procrastination is part of human nature, and given the complex nature of GDPR, this isn't something that can be undertaken in a matter of weeks or months for companies that have delayed until the last minute,” Compert said.

The results of the survey indicate that companies are largely struggling with certain areas of compliance. These include performing data discovery and ensuring data accuracy, complying with data processing principles, developing and updating privacy policies, getting consent from data subjects and establishing a data protection officer.

“Responding to GDPR requires involvement from all parts of the business, as well as executive level support,” Compert said.