US Companies Among Most GDPR Compliant, But Privacy Burden Grows
Outside of growing compliance, a new report by Thomson Reuters found since the GDPR came into effect, most companies have become less open and proactive with consumers on data privacy issues.
May 22, 2019 at 11:00 AM
4 minute read
There's less than a week to go until the one-year anniversary of the European Union's General Data Protection Regulation, but a new report from Thomson Reuters indicates that while most global companies consider themselves knowledgeable on the GDPR, many are still struggling to comply.
The report is based on surveys that were conducted in 2017 before the GDPR came into effect and then again in December 2018 after the regulation had been in place for roughly six months. Over 1,000 data privacy professionals from Singapore, Germany, Hong Kong, France, the United States, the United Kingdom, Canada, Australia and New Zealand responded. Each worked at global companies averaging revenues of $282 million and 16,400 employees.
“I think reading this report you can almost feel the emotion behind the numbers, but really get into what our customers both in the in-house and law firm side are feeling,” said Erica Kitaev, project management director at Thomson Reuters.
Companies based within the U.S. may be feeling just slightly better than others. While 79% of companies surveyed post-GDPR indicated that they were currently failing to meet regulatory requirements or are at risk of falling behind (an increase of seven percentage points from responses taken in 2017 before the GDPR), figures collected stateside marked an improvement.
In 2017, 64% of U.S. respondents said that they were unable to meet GDPR and other data privacy requirements. That number shrank to 42% in 2018, with only France showing more favorable results at 31%. U.S. companies were also the only respondents not to experience a bump in enforcement actions related to the GDPR or other privacy regulations over the last year (down from 62% of companies in 2017 to 56% in 2018).
Still, don't break out the party hats just yet. Per the report, U.S. companies have work yet to do, with 64% of those surveyed in 2018 (up from 52% in 2017) saying that they were struggling to keep up with, or falling further behind, regulatory requirements. Close to half (47%) of all companies surveyed globally indicated the same.
It's possible that a lack of preparedness could account for at least some of the hiccups that companies are experiencing. Karen Schuler, national leader of the information governance and privacy practice at professional services firm BDO, said that the data management across companies of all sizes has been lacking.
“They don't really know where their sensitive data is, they don't know who has access to it. It still astounds me to see how many companies are at that data mapping stage and data flow diagramming stage,” Schuler said.
The report also indicates that companies in turn have been less open and proactive with consumers on data privacy issues since the GDPR was implemented. Only 30% of respondents (compared with 42% in 2017) reported that they were being open and proactive with consumers. There was a much steeper drop in the U.S. from 60% to 27%.
Schuler attributed some of that decline to companies having to engage in a careful balancing act whereby they don't inadvertently compromise intellectual property while explaining privacy-related issues to a consumer. She said that BDO has noticed more corporate clients working with outside privacy counsel to address customer inquiries.
“[They] really think through how is it best to respond but also what is going to answer the question. And in the past these things would have been fully dismissed,” Schuler said.
As for the future, dollar signs are expected to play a significant role. Almost half (48%) of all companies surveyed expect the global cost of data protection to increase, with companies in the U.S. taking the highest honors at 56%. Per the report, 38% of all companies (up from 31% in 2017) said that the GDPR will be claiming at higher portion of those budgets.
Unfortunately, that won't let them off the hook with the California Consumer Protection Act (CCPA). Ironically, the Thomson Reuters report suggests that companies in Singapore (94%), Germany (89%), Hong Kong (89%) and France (83%) are more aware of the CCPA than companies in the U.S. (82 percent).
Kitaev suggested that this could be due in part to those countries being a little bit further ahead on their GDPR compliance. Since Europe has been dealing with complex and multijurisdictional privacy issues for 20-plus years, she said that its not unusual to see more sophistication or forward movement in those areas.
“Perhaps they have a little more bandwidth to turn to this next big challenge, which will be CCPA,” Kitaev said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250