On March 26, 2018, the Centre for Information Policy Leadership at Hunton & Williams LLP and AvePoint released its second Global GDPR Readiness Report (the “Report”), detailing the results of a joint global survey launched in July 2017 concerning organizational preparedness for implementing the EU General Data Protection Regulation (“GDPR”). The Report tracks the GDPR implementation efforts of over 235 multinational organizations, and builds on the findings of the first Global GDPR Readiness Report by providing insights on key changes in readiness levels from 2016 to 2017.
Key highlights of the report include:
- Over half of all respondents have committed additional budget to GDPR implementation, with increases ranging from hundreds of thousands of dollars to upwards of $50 million.
- While technology tools and software are the number one priority for GDPR-focused budget spending, continued reliance on manual methods for building and maintaining data processing inventories, as well as low usage rates of automated software to identify and tag data, indicate that much work is still to be done to assess and procure these solutions.
- Almost a quarter of organizations have not yet implemented any processes to update their controller-processor contracts or review or renegotiate existing agreements. Organizations will have to closely look at their contracts ahead of May 25, 2018, to ensure they include the new required terms introduced by the GDPR.
- Despite little information being available on new GDPR transfer mechanisms such as adequate safeguards or certifications, for the second year in a row, respondents indicated that they are likely to use these mechanisms, with almost one-fifth of organizations reporting they will rely on the latter post-GDPR.
- With regard to security, the majority of organizations have put internal reporting procedures and incident response plans in place. However, organizations still have some work to do in implementing other data breach response procedures, such as conducting dry runs and retaining PR and media consultants.
- Legitimate interest remains the area most in need of clarity under the GDPR, followed by data protection impact assessments and risk, breach notification, notice and consent, and privacy by design.
To read more about these highlights and other insights of the study, please view the full report.