There's less than a week to go until the one-year anniversary of the European Union's General Data Protection Regulation, but a new report from Thomson Reuters indicates that while most global companies consider themselves knowledgeable on the GDPR, many are still struggling to comply.

The report is based on surveys that were conducted in 2017 before the GDPR came into effect and then again in December 2018 after the regulation had been in place for roughly six months. Over 1,000 data privacy professionals from Singapore, Germany, Hong Kong, France, the United States, the United Kingdom, Canada, Australia and New Zealand responded. Each worked at global companies averaging revenues of $282 million and 16,400 employees.

“I think reading this report you can almost feel the emotion behind the numbers, but really get into what our customers both in the in-house and law firm side are feeling,” said Erica Kitaev, project management director at Thomson Reuters.

Companies based within the U.S. may be feeling just slightly better than others. While 79% of companies surveyed post-GDPR indicated that they were currently failing to meet regulatory requirements or are at risk of falling behind (an increase of seven percentage points from responses taken in 2017 before the GDPR), figures collected stateside marked an improvement.

In 2017, 64% of U.S. respondents said that they were unable to meet GDPR and other data privacy requirements. That number shrank to 42% in 2018, with only France showing more favorable results at 31%. U.S. companies were also the only respondents not to experience a bump in enforcement actions related to the GDPR or other privacy regulations over the last year (down from 62% of companies in 2017 to 56% in 2018).

Still, don't break out the party hats just yet. Per the report, U.S. companies have work yet to do, with 64% of those surveyed in 2018 (up from 52% in 2017) saying that they were struggling to keep up with, or falling further behind, regulatory requirements. Close to half (47%) of all companies surveyed globally indicated the same.

It's possible that a lack of preparedness could account for at least some of the hiccups that companies are experiencing. Karen Schuler, national leader of the information governance and privacy practice at professional services firm BDO, said that the data management across companies of all sizes has been lacking.

“They don't really know where their sensitive data is, they don't know who has access to it. It still astounds me to see how many companies are at that data mapping stage and data flow diagramming stage,” Schuler said.

The report also indicates that companies in turn have been less open and proactive with consumers on data privacy issues since the GDPR was implemented. Only 30% of respondents (compared with 42% in 2017) reported that they were being open and proactive with consumers. There was a much steeper drop in the U.S. from 60% to 27%.

Schuler attributed some of that decline to companies having to engage in a careful balancing act whereby they don't inadvertently compromise intellectual property while explaining privacy-related issues to a consumer. She said that BDO has noticed more corporate clients working with outside privacy counsel to address customer inquiries.

“[They] really think through how is it best to respond but also what is going to answer the question. And in the past these things would have been fully dismissed,” Schuler said.

As for the future, dollar signs are expected to play a significant role. Almost half (48%) of all companies surveyed expect the global cost of data protection to increase, with companies in the U.S. taking the highest honors at 56%. Per the report, 38% of all companies (up from 31% in 2017) said that the GDPR will be claiming at higher portion of those budgets.

Unfortunately, that won't let them off the hook with the California Consumer Protection Act (CCPA). Ironically, the Thomson Reuters report suggests that companies in Singapore (94%), Germany (89%), Hong Kong (89%) and France (83%) are more aware of the CCPA than companies in the U.S. (82 percent).

Kitaev suggested that this could be due in part to those countries being a little bit further ahead on their GDPR compliance. Since Europe has been dealing with complex and multijurisdictional privacy issues for 20-plus years, she said that its not unusual to see more sophistication or forward movement in those areas.

“Perhaps they have a little more bandwidth to turn to this next big challenge, which will be CCPA,” Kitaev said.