Capgemini Research Institute finds only 28% of businesses achieved GDPR compliance but those that did are seeing the rewards. The consultancy firm also found that 81% of compliant companies reported that GDPR has a had a “positive impact on their reputation and brand image.”
The new report by Capgemini saw 1,100 senior executives surveyed and discovered:
“Companies have responded to new requirements more slowly than they expected, citing barriers including the complexity of regulation requirements, costs of implementation and challenges of legacy infrastructure.”
Heavy investment into GDPR compliance continues
But firms are continuing to invest “heavily” in data protection and privacy to make sure they are regulatory compliant and “to lay the foundation for those to come.” 40% of companies asked say they expect to spend over $1 million on legal fees and 44% say they will spend the same amount on technology upgrades.
A further 30% of those surveyed believe they are close but are “still actively resolving pending issues.” Those who are having problems cite GDPR complexity and high costs. And, many companies have received “queries from data subjects.”
Benefits of GDPR compliance are becoming apparent
Despite the fact that many still appear to be struggling with the GDPR challenge, for those companies that have achieved compliance the benefits are clear.
Capgemini found that a massive 92% of compliant companies surveyed say they have gained competitive advantage. Only 28% expected to gain competitive advantage, so these companies maybe a little happier with the impact of GDPR than most. A further 84% say they are experiencing a “positive impact on customer trust,” 81% on brand image and 79% a positive impact on employee morale.
Companies haven’t just found benefits to their external positioning, 87% are finding improvements with their IT systems and 91% with their cybersecurity practices.
These improvements to data privacy and cybersecurity infrastructure can only add even more benefits, protecting from other cyber risks as well as data breaches.
A company’s technology stack influences its ease of compliance
The report discovered that the level of technological adoption within a business may have influenced quicker compliance. Those using cloud platforms, data encryption, and other advanced systems seem to have fared better in the race to achieve compliance.
Don’t forget third-party vendors when considering GDPR
These compliant firms also seem to faring better at checking and ensuring their third-party technology suppliers are GDPR compliant. Capgemini says:
“While 82% of GDPR compliant organisations had taken steps to ensure their technology vendors were compliant with relevant data privacy regulations, only 63% of non-compliant companies could say the same. A majority (61%) of the compliant organisations said they audit sub-contractors for data-protection compliance, compared to 48% of non-compliant companies.”
Data privacy and cybersecurity practices must have equivalent and sufficient standards all along an organisations supply chain. Supply chain cyber risk is growing with cybercriminals looking to exploit weak links further along a company’s network. Ponemon Institute research found 61% of US organisations last year reported a data breach within their vendors or partners.
Continuous action and awareness are vital
One executive who joined the Capgemini survey, Michaela Angonius, Vice President and Head of Group Regulatory and Privacy, Telia Company says GDPR is something that needs to be worked on “continuously.” Angonius says:
“We started raising awareness internally, long before the law was adopted. This was because we foresaw that this would be one of the biggest compliance projects that we would undertake in the company’s history.”
Zhiwei Jiang, CEO of Insights & Data at Capgemini concludes:
“Organisations must recognize the higher-than-expected benefits of being compliant, such as increased customer trust, improved customer satisfaction, strengthened employee morale, better reputation, and positive impact on revenue. These benefits should encourage every organisation to achieve full compliance.”
It’s great to hear more “carrot” than “stick” incentives for GDPR compliance, and that the time and money firms have spent achieving compliance is being returned as potential bottom line revenue.
After all, the result of non-compliance could have a serious impact both financially and on a company’s reputation. In July it emerged that British Airways and the Marriott hotel chain were facing record breaking fines for data breaches.
Edward Whittingham, our very own Managing Director of The Defence Works, provided his comments to the Financial Times at the time, including:
“Until now, we knew GDPR had teeth, but we didn’t know how hard it could bite. These penalties will raise some serious concerns for other businesses going forward.”
Here at The Defence Works we offer engaging, employee focused, GDPR training. Our sessions are interactive and quick-fire, taking minutes, but helping you to meet your legal requirements. Our training can make the difference between secure data and data breach. We also help to empower your employees with GDPR knowledge, so you are willing, able and prepared at every level to achieve and maintain compliance.