Fewer than half of global businesses are GDPR-compliant

Fewer than half of businesses around the world are fully compliant with the European Union’s (EU) General Data Protection Regulation (GDPR), according to new research.

The International Association of Privacy Professionals (IAPP), which surveyed 550 of its members, 80% of which were from either the US or Europe, discovered that just 44% thought they were entirely compliant with the GDPR, while almost one in five believed that full compliance was impossible. 

But according to Out-Law, the results also suggest organisations feel that complying with some aspects of the GDPR, such as its data portability rules and consent regime, is easier than was anticipated last year. Moreover, while 89% of the EU businesses and 67% of the US companies surveyed indicated they had appointed a data protection officer in response to the new legislation, half said they had done so “even though they were not obliged because it serves a valuable function for the firm”.

The study also highlighted the impact that the GDPR has had on the outsourcing market, with a quarter of respondents pointing out that they had switched to a different data processor.

"A 25% shift in any market can cause major disruption. And the future may be highly unstable for data processors who fall behind in their GDPR compliance efforts," the report said.

In addition, fewer than half of respondents were confident they would stay with their existing data processors, while 30% planned to change vendors and a “meaningful” 26% were still on the fence. “This loudly signals that processors are well served to take the GDPR seriously if they’d like to hold on to their customers," the report added.

Another key finding was that 89% of businesses rely on EU standard contractual clauses to transfer personal data outside of the region. In fact, it is “far and away” the most popular tool for cross-border data transfers, the IAPP said.

Just under half of the respondents also use the EU-US Privacy Shield for data transfer too. But both the Privacy Shield and EU standard contractual clauses are subject to legal challenge in Europe.

"Binding corporate rules, largely considered the 'safest' of transfer mechanisms, are only used by 28% of companies, reflecting the difficulty of getting them approved by an EU supervisory authority," the report indicated. 

Meanwhile, Apple’s chief executive Tim Cook has called on the US government to introduce local privacy laws that are similar to the GDPR, according to PYMNTS. It cited comments made by Cook at a speech in Brussels, which were reported by the Financial Times, that it was time “for the rest of the world” to take a page out of the EU's book and create a comprehensive framework to protect consumers’ personal information.

 Emma Woollacott

Emma Woollacott is a freelance business journalist. Her work has appeared in a wide range of publications, including the Guardian, the Times, Forbes and the BBC.