FTSE and Fortune firms are mistaken about their GDPR compliance

The vast majority of the world’s largest firms are seriously overestimating their GDPR readiness, a study has found.

The study, by law firm Paul Hastings, surveyed general counsel and chief security officers in the FTSE 350 and Fortune 500. It found that fewer than half (43 per cent) are setting up an internal GDPR task force (39 per cent in the UK and 47 per cent in the USA).

A third of companies across both regions are taking on a third-party to conduct a GDPR gap analysis. In the UK, the same proportion have hired a third-party consultant or counsel to assist with compliance, while that figure stands at 37 per cent in the USA.

Although appointing a data protection officer is a key requirement for GDPR readiness, only 29 per cent of UK enterprises have hired one, and 18 per cent of US firms.

Despite that, 94 per cent of FTSE companies say that they are ready for the GDPR, and 98 per cent of those in the Fortune list.

Behnam Dayanim, partner and global co-chair of privacy and cybersecurity practice at Paul Hastings, said: “Achieving GDPR compliance is an enormous task – one that in our experience almost inevitably requires dedicated resources and budget. Against that backdrop, the confidence among major corporations revealed in our survey seems mismatched with those same businesses’ reports of their implementation efforts.

“With so few companies undertaking key compliance measures to date, it will be a race to the finish line for those needing to meet the terms of this wide-reaching regulation. This unfortunately seems to be setting up a scenario for multiple investigations and enforcement activities once the implementation date arrives.”

More than half of cyber security specialists in the UK and USA are worried about GDPR compliance, and business leaders don’t understand cyber risks, according to CA Veracode. That has had a negative effect on businesses, with many resigning themselves to non-compliance.