Turns out GDPR compliance wasn't as easy as it was supposed to be - and California's version will be no different

It’s over a year since the General Data Protection Regulation (GDPR) came into force, but organizations in 2019 are less confident about their compliance capabilities than they were in 2018. And with the California Consumer Privacy Act (CCPA) looming on the horizon, will the over-confidence around GDPR preparedness be re-run?

According to new research from consultancy Capgemini - Championing Data Protection and Privacy : a source of competitive advantage in the digital century - only 28% of firms on average around the globe can state they are GDPR compliant. Last year the same study found 78% of respondents confident that they would be ready for the May 2018 enforcement of the new regulation.

While there’s a consistent theme of every country having been over-confident, the scale of this varies from nation to nation. US firms were the most sure of their readiness last year, but the 83% of firms who reckoned they were on track for compliance has now plunged to 33%. In Italy, it’s worse - down from 82% confident in advance to 21% in practice. The UK fares slightly better - 83% down to 33% - but Sweden, Spain and the Netherlands all report collapsed confidence levels.

France was the least confident country polled last year - 67% - and its pessimism has resulted in the smallest drop - a mere 39% down to hit 28%. Even the data protection maven that is Germany has nothing to be happy about, down from 79% confidence last year to 33% now.

By sector, it’s a similar story of harsh reality kicking in. Banking is the most compliant confident industry at present, but that only accounts for just over a third of organizations in that sector (35%), well down from the 79% which believed themselves ready last year. Telcos registered the biggest drop, down from 83% confidence to 23% today, but it’s worth noting that the government sector has failed in its obligations by a significant margin, with only 24% compliance today versus 78% confidence pre-GDPR.

That’s a massive wake-up call about the complexities of meeting the demands of a wave of new data privacy legislation around the world, such as  the General Data Protection Law (LGPD) in Brazil, and the Data Protection Bill in India.

Sinking home?

The learnings from GDPR don’t appear to have sunk home. Coming up on 1 January next year is the CCPA and at this point, over two-thirds of organizations polled  (70%) are confident they will be compliant, roughly the same number that thought everything would be fine from day one with GDPR.

That said, Capgemini’s research suggests 30% of respondents concede that they will only be partially compliant on New Year’s Day. The report observes:

Given the size of the California economy, and the number of companies affected, this in itself is a sizeable number of firms.

It also makes the inevitable comparison with pre-GDPR attitudes:

A similar situation existed with GDPR compliance in 2018, when 78% said they would be compliant by GDPR go-live. However, as we have seen from our latest 2019 data, the reality is that many missed out on compliance by go-live (when reality hit, only 28% reached compliance). This raises the possibility that many organizations are over-optimistic about being CCPA compliant.

What should be focusing attention is that over one year one, failure to comply with GDPR is starting to cost money. Under the Regulation, organizations can be fined up to 4% of global revenue. No-one’s been hit with that as yet, but the likes of France’s CNIL and the UK’s Information Commissioner’s Office have been ready to use their new big sticks on miscreants.

It won’t be the same for CCPA which doesn’t provide for the theoretical levels of penalty that GDPR does. The charge sheet here is $2,500 per unintentional violation per consumer affected or $7,500 per violation per customer if the violation is determined to be intentional. And it’s California, so consumers are entitled to lawyer up and bring their own separate private prosecutions.

The threat to the bottom line is encouraging firms to take action to catch-up on compliance with spend on IT upgrades a priority with existing tech cited a major inhibitor to meeting new regulatory demands.  Some 38% of respondents stated that  aligning existing IT to the GDPR has proven “extremely complex”. That learning may be informing the 42% who cited tackling legacy tech as critical to preparing for CCPA.

As a result, Capgemini found that more than a third of organizations (36%) have allocated more than €1 million Ito upgrades in 2019, while 44% of respondents say they’ll do this in 2020. And in a bit of good news for the likes of Capgemini, over a third (34%) of organizations plan to spend more than €1 million on consulting fees in 2019, rising to 37% in 2020! Every cloud etc etc.

In fact there are some silver linings all round. More than 75% of organizations that do claim to be GDPR compliant say that there have been “second order benefits”. For example, 87% point to now having better IT systems within the business, while 91% reckon that awareness around the importance of compliance has led to an uptick in cyber-security practices.

As to what advice Capgemini will be doling out to organizations who spend their consulting budgets with it, a key recommendation involves the ethical use of technology to strengthen trust. The report argues:

With technologies such as artificial intelligence key to analyzing large amounts of data in encrypted format for privacy compliance, it is important that these technologies – and their outputs – are also trusted by stakeholders such as customers. This means addressing the ethical dimension of AI and ensuring that trust is built into smart systems.

And there’s inevitably a big push to invest in AI to enable data discovery as well as enhance data management capabilities overall. Around two-thirds of GDPR-compliant respondents have AI initiatives underway according to the research:

A critical step is to clearly identify and map all personal data flows and where data is stored and processed within the organization. Proper data management, data profiling, analytics, data-centric architecture and Master Data Management (MDM) is essential to achieve this. MDM provides an organization the control it needs to master all of the data that it has by creating a single point of reference for consumer data and ensuring all data platforms align with this reference.

Data discovery through AI as an additional way to identify sensitive data at places and in situations where established practices may no longer be enough will be very useful, especially for large organizations operating in multiple geographies and firms undergoing mergers and acquisitions.

AI adoption still has a long way to go as a tech enabler of compliance. It’s only in use at 19% of GDPR-compliant organizations, compared to cloud platforms at 84% and data encryption at 70%. And on a positive note, no compliant organization believes Blockchain is the answer to anything here and only one percent of non-compliant respondents has yet to wake up to that truth.

My take

The top line takeaway - this is a long game and an ongoing one. As the study notes:

Despite what some executives may have anticipated (or hoped), the passing of the GDPR-effective date did not mark the end of organizations’ GDPR compliance efforts. Nor will January 1, 2020 signify the end of work on CCPA compliance.