GDPR’s First-Year Impact By the Numbers

[steven36]

The latest statistics on GDPR spending, compliance rates, enforcement and consumer attitudes on privacy protection.

 

 

 

Enterprise Budgets Swell

 

One thing is certain, and it's that enterprises are funneling a lot of cash toward continued GDPR compliance efforts. Forbes reporting went so far as to call GDPR a "$9 billion business shakedown," with industry sources such as IAPP and EY also reporting the average spend per organization reaching about $3 million, with half of that coming this year and beyond. The spending was spread out among a range of categories, including internal people-hours, outside legal counsel, consulting, employee training, and new technology.

 

 

Many experts expect the long-term budgetary impacts of sustained GDPR compliance to linger. The sustained spending will be particularly heavy in US companies that may not have had instituted certain privacy practices commonplace at European firms even prior to GDPR. According to IDC's Ryan O' Leary, the "maximum impact" — spending on GDPR initiatives — in the US is actually expected in 2020. Meanwhile, another survey conducted by Thomson Reuters at the end of last year found about 38% of compliance budgets were dedicated to GDPR.

 

 

Time Spent on GDPR Compliance Will Remain High

 

Sustained spending on GDPR is difficult to project due to many hidden human costs — particularly when organizations have not yet automated all of their compliance processes and data flows. A study by the firm Data Grill, released earlier this month, shows that two-thirds of organizations dedicated 25 or more employees to managing GDPR, and 80% met at least a few times a month in the run-up to the deadline.

 

But much of that early effort may have been short-term stopgaps. According to the survey, 70% of organizations indicated their early solutions for GDPR compliance won't scale in the future as regulatory enforcement agents step up their efforts and consumer complaints and data requests intensify. Interesting, since the deadline the time spent by decision-makers sustaining GDPR compliance seems virtually unchanged compared with the time spent preparing for GDPR.

 

 

 

The Compliance and Privacy Progress Needle Still Sticking

 

Even with all of the money being spent and the people-hours dedicated to GDPR worldwide, a year later the needle on compliance and privacy progress hasn't moved much at many organizations. For example, one survey by Talend found that 70% of companies can't comply with the level of data access offered to their consumers in GDPR-mandated privacy policies. And the survey conducted by Thomson Reuters found that 48% of organizations worldwide are failing to meet GDPR requirements.

 

Meanwhile, a study released this week by ImmuniWeb researchers found that even compliance with GDPR's more simple website privacy and security requirements is spotty among the 100 most visited websites in Europe. For example, over half of these sites had missing or hard-to-find privacy policies, and almost eight in 10 had insecure usage of cookies that were handling potentially sensitive data.

 

 

Registered Data Protection Officers Continue to Increase

 

Even though there's clearly still more work to go, the good news is that the number of data protection officers (DPOs) at organizations has grown with GDPR's mandates. According to IAPP figures from this month, approximately 376,306 organizations have registered DPOs so far in 12 of 28 EU member states, leading the industry group to extrapolate an estimate of 500,000 total DPO registrations across Europe.

 

The group reports a "spike in renumeration" for all privacy professionals in the past year. Registered DPOs are frequently chief privacy officers, for which IAPP reports an average salary of $220,000. However, not all DPOs are cut from that cloth, and the average salary for these privacy decision makers is a much more modest $88,000. This delta indicates that many junior-level DPOs may still need more training and experience to elevate their position and standing within their organizations to make an impact.

 

"Just appointing a DPO isn't enough," says IAPP CEO Trevor Hughes. "Organizations must ensure that DPOs are trained and qualified to address one of the defining tech policy issues of our time: protecting privacy and individuals' data."

 

 

 

Enforcement Action Ramped up Quickly

 

 

Meantime, enforcement action is already in full swing at the European Data Protection Board (EDPB) and European Supervisory Authorities (SAs). In the year since the deadline, the EDPB has registered 446 cross-border cases. At the national SA level, there has been a total of more than 281,000 cases, including over 144,000 consumer complaints and more than 89,000 data breach notifications. Of these cases, about 63% have been closed already, with 37% still ongoing, the EDPB reports.

 

The Thomson Reuters report shows that, overall, about 50% of organizations around the globe have been subject to some sort of enforcement action. By IAPP figures, GDPR enforcement actions have resulted in over €56,000,000 (US$62.4 million) in fines.

 

 

Consumer Awareness Grows, But People Are Cynical

Meantime, among the consumers that GDPR is meant to protect, the awareness of increased GDPR privacy protections is growing significantly. The EDPB reports that the percentage of EU citizens who have heard of there being a public authority in their country who is responsible for protecting data privacy rights has increased by 20 percentage points in the past four years, with 67% of EU citizens reporting they've at least heard of GDPR.

 

At the same time, many of these European citizens are still cynical about GDPR's benefits. A report by TrustArc and Ipsos shows that fewer than half of UK citizens have exercised GDPR rights, such as opting out of cookie installs or restricting company use of personal data. And only about 36% say they trust companies more with their personal data since GDPR came into effect a year ago. In addition, an even broader survey by Ogury found that across more than 280,000 global consumers, 55% say that since the data transparency provisions of GDPR were passed, they still don't have a better understanding of how companies use their data.

 

Source