Firms failed to meet their own expectations on GDPR compliance, but 81% of those who declare being compliant have reported positive impacts on reputation and image
Paris, September 26, 2019 – Over a year on from the introduction of the General Data Protection Regulation (GDPR), the Capgemini Research Institute has found that companies vastly overestimated their readiness for the new regulation with just 28% having successfully achieved compliance; this is compared to a GDPR readiness survey last year which found that 78% expected to be prepared by the time the regulation came into effect in May 2018. However, organizations are realizing the benefits of being compliant: 81% of those that are say GDPR has had a positive impact on their reputation and brand image.
The “Championing Data Protection and Privacy – a Source of Competitive Advantage in the Digital Century” report finds that companies have responded to new requirements more slowly than they expected, citing barriers including the complexity of regulation requirements, costs of implementation and challenges of legacy infrastructure. Meanwhile, a significant number of organizations are investing heavily in data protection and privacy to ensure compliance with existing regulations, and to lay the foundation for those to come.
Key findings from the report include:
Enterprises have fallen behind on GDPR compliance
Although over a year has passed since GDPR went into effect, the position of many enterprises remains uncertain in terms of compliance. While 28% of organizations say they have achieved compliance, just 30% of organizations are “close to” complete compliance but still actively resolving pending issues. Compliance was highest with companies in the US (35%), followed by the UK and Germany (both on 33%), and lowest in Spanish, Italian, (both on 21%) and Swedish companies (18%).
Executives identified the challenges of aligning legacy IT systems (38%), the complexity of the GDPR requirements (36%) and prohibitive costs to achieve alignment with regulations (33%) as barriers to achieving full GDPR compliance. The volume of queries from data subjects has also been extremely high: 50% of US companies covered by GDPR have received over 1,000 queries, as did 46% of French companies, 45% in the Netherlands and 40% in Italy.
As organizations struggle to comply, they are actually making significant investments to fulfil the costs of increased professional fees to support GDPR alignment; 40% expect to spend more than $1m on legal fees and 44% on technology upgrades in 2020. In addition, organizations face a new challenge – the adoption of new legislation in different countries outside the European Union.
Benefits of being GDPR compliant are greater than expected
Opportunities are being lost by companies which fail to achieve GDPR compliance. Of the organizations that have achieved compliance, 92% said they gained competitive advantage, something only 28% expected last year. The vast majority of executives from firms which achieved compliance said it had a positive impact on customer trust (84%), brand image (81%) and employee morale (79%). Executives from compliant firms also identified positive second-order effects of implementing GDPR, including improvements in IT systems (87% vs. 62% who anticipated this in 2018), cybersecurity practices (91% vs. 57%) and organizational change and transformation (89% vs. 56%).
Technology is a key enabler for compliant organizations
The survey found a clear gap in technology adoption between compliant organizations and those lagging behind. Organizations compliant with GDPR, in comparison with non-complying organizations, were more likely to be using cloud platforms (84% vs. 73%), data encryption (70% vs. 55%), Robotic Process Automation (35% vs. 27%) and industrialized data retention (20% vs. 15%).
Furthermore, while 82% of GDPR compliant organizations had taken steps to ensure their technology vendors were compliant with relevant data privacy regulations, only 63% of non-compliant companies could say the same. A majority (61%) of the compliant organizations said they audit sub-contractors for data-protection compliance, compared to 48% of non-compliant companies.
The effort to maintain data protection and privacy compliance is a continuing one
Organizations need to have the right philosophy about data protection and privacy, and it is best to approach it proactively, rather than solely as a compliance activity. “The GDPR is not something you will ever be done with. It is something that you need to work on continuously,” says Michaela Angonius, Vice President and Head of Group Regulatory and Privacy, Telia Company. “We started raising awareness internally, long before the law was adopted. This was because we foresaw that this would be one of the biggest compliance projects that we would undertake in the company’s history.”
“This research underscores both the challenges for companies in achieving GDPR compliance, and the exciting opportunities for those that do,” said Zhiwei Jiang, CEO of Insights & Data at Capgemini. “Clearly, many executives were over-ambitious in their expectations last year, and have now realized the extent of investment and organizational change that is required to achieve compliance: from implementing advanced technologies that support data protection to embedding a privacy and data protection mindset among employees. However, organizations must recognize the higher-than-expected benefits of being compliant, such as increased customer trust, improved customer satisfaction, strengthened employee morale, better reputation, and positive impact on revenue. These benefits should encourage every organization to achieve full compliance.”
For further information, please access the full report here.
The research surveyed 1100 senior executives, director level and above, spread across eight sectors: insurance, banking, consumer products, utilities, telecom, public services, healthcare, and retail. Executives belong to companies headquartered in: France, Germany, Italy, Netherlands, Norway, Spain, Sweden, UK, US, and India. Capgemini also conducted interviews with industry leaders and experts, examining the current status and impact of data privacy regulations.
A global leader in consulting, technology services and digital transformation, Capgemini is at the forefront of innovation to address the entire breadth of clients’ opportunities in the evolving world of cloud, digital and platforms. Building on its strong 50-year heritage and deep industry-specific expertise, Capgemini enables organizations to realize their business ambitions through an array of services from strategy to operations. Capgemini is driven by the conviction that the business value of technology comes from and through people. It is a multicultural company of over 200,000 team members in more than 40 countries. The Group reported 2018 global revenues of EUR 13.2 billion.
Visit us at www.capgemini.com. People matter, results count.
About the Capgemini Research Institute
The Capgemini Research Institute is Capgemini’s in-house think-tank on all things digital. The Institute publishes research on the impact of digital technologies on large traditional businesses. The team draws on the worldwide network of Capgemini experts and works closely with academic and technology partners. The Institute has dedicated research centers in India, the United Kingdom and the United States. It was recently ranked #1 in the world for the quality of its research by independent analysts.
Visit us at https://www.capgemini.com/researchinstitute/
 Compliance, in this case, refers to compliance assessment as reported by the companies surveyed
 Capgemini Research Institute, “Seizing the GDPR Advantage: From mandate to high-value opportunity,” May 2018
 A data subject is an individual whose personal data are processed by an organization