Organizations Struggle to Comply with GDPR

Data-breach awareness and identification prove most difficult

Roy Maurer By Roy Maurer November 12, 2019
Organizations Struggle to Comply with GDPR

​Most organizations covered under the European Union's (EU's) data-privacy law find compliance a challenge, according to a recent study.

Just 18 percent of the respondents said they are highly confident in their organizations' ability to report a data breach to the relevant regulators within the required 72-hour timeframe set forth in the EU's General Data Protection Regulation (GDPR), which came into effect in May 2018. Less than half (46 percent) said they are at a high level of readiness to respond to a data breach involving personal data of EU citizens. Thirty percent of respondents in the United States rated their level of readiness to respond to a data breach as very low.

GDPR introduced sweeping changes to data privacy for employers dealing with anyone in the EU, including new individual rights and employer obligations that may require significant changes to internal HR and business systems and processes. The law applies to companies that do business in the EU or use personal data of EU citizens, no matter where that company is located.

The survey of 1,263 respondents from the United States, Europe, China and Japan was conducted by the Ponemon Institute, a research center dedicated to data privacy and information security, and sponsored by international law firm McDermott, Will & Emery. It found that most respondents failed to meet the compliance deadline last year, with about one-third saying they were expecting to achieve compliance with GDPR before the end of fiscal year 2019.

"One of the more interesting findings was that what companies thought would be the hardest parts to comply with weren't that difficult, while they didn't entirely appreciate that data-breach reporting obligations would be as demanding as they turned out to be," said Mark Schrieber, a partner in the Boston office of McDermott, Will & Emery and co-chair of the firm's global privacy and cybersecurity practice. "The 72-hour notification window is an incredibly short time in the best of circumstances."

GDPR is primarily known for conferring to individuals the right to be informed of how their information is used; to be "forgotten" in search results; and to data portability. These personal data rights required new precautions to be established and back-end implementation on the part of employers, but compliance proved to be easier than previously thought, Schrieber said.

[SHRM members-only toolkit: Introduction to the Global Human Resources Discipline]

Data-Breach Challenges

On average, nearly half of respondents said they had experienced two reportable data breaches since the law went into effect. There were over 60,000 preliminary data-breach reports made in the first year to EU regulators, with most of those reports still waiting for review, Schrieber said.

Under GDPR, organizations are required to quickly recognize, isolate, mitigate and respond to data breaches and report them to regulators within 72 hours of becoming aware of the incident.

"With more than a decade of data-breach response experience, U.S. companies are used to the protocols but it's still enormously stressful, even with 30 or 60 days to alert regulators and affected individuals," Schrieber said. "To try to do it in 72 hours, particularly if it's an outsider attack and without experienced forensic investigators to help, is a daunting task."

He added that it's harder for European organizations to fully identify cyberattacks because they generally use internal IT instead of external forensic vendors to investigate incidents. "Greater use of external forensic organizations likely identifies cyberattacks earlier and more accurately than the use of internal IT resources alone," he said. "As Europe and China catch up with U.S. experience on data-breach management, we would expect both the reported percentage of GDPR data breaches due to cyberattacks and the use of outside forensic firms to increase."

Additional study findings include the following:

  • The need to make comprehensive changes in business practices is the biggest reported challenge to compliance (69 percent), followed by unrealistic demands from regulators (53 percent) and too little time to devote to maintaining compliance (52 percent).
  • A high percentage of respondents (90 percent) appointed a data-protection officer under GDPR.
  • Only 10 percent of respondents said they received a fine as a result of a data breach.

Fines Starting to Roll In

There may have been only a few monetary penalties issued, but noncompliance can potentially be very costly. Failing to comply can result in maximum fines of up to 4 percent of annual revenue or €20 million, whichever is higher.

This summer, the U.K.'s Information Commissioner's Office levied major fines against British Airways and Marriott International for exposing personal data in violation of GDPR.

British Airways was fined $228 million for exposing the personal data of its customers, while Marriott got hit with a $124 million penalty for the same offense.

In January, Google was fined nearly $57 million by France's National Data Protection Commission for an alleged lack of transparency and valid consent regarding advertisements in accordance with the GDPR.

"Google failed in obtaining valid consent to obtain and process data, and its blanket consent agreements and pre-ticked account sign-ups were contrary to GDPR's strong emphasis that consent should be freely given, informed and must involve affirmative action," said Michael Mittel, a technology industry veteran and president of RapidFire Tools, an IT assessment, internal threat detection and compliance company in Atlanta.

"Of all the GDPR articles, the 'right to be forgotten' and 'privacy by design and by default' are among the most significant," he said. "Build customer consent and data-processing transparency into the center of your user design and experience. Actively seek customer consent with clear affirmative action and opt-ins."

The increase in fines signals that the amnesty period for implementing the regulations is over, Mittel said.

Regional Differences

The Ponemon study also reflected regional differences in levels of adherence to GDPR:

  • Nearly half (49 percent) of Chinese respondents subject to GDPR—and more than one-third (36 percent) of Japanese respondents—are still not familiar with the regulation.
  • China has the lowest level of compliance with GDPR, with only 29 percent of Chinese respondents saying their organizations are fully compliant. Thirty-two percent of Japanese respondents said they are fully compliant, compared with 55 percent of European respondents and 43 percent of U.S. respondents.
  • More U.S. organizations (45 percent) have reported cyberattacks since the GDPR came into effect than respondents in Japan (38 percent), Europe (34 percent) or China (31 percent).


Hire the best HR talent or advance your own career.

Member Benefit: Ask-An-Advisor Service

SHRM's HR Knowledge Advisors offer guidance and resources to assist members with their HR inquiries.

SHRM's HR Knowledge Advisors offer guidance and resources to assist members with their HR inquiries.



HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.