Fortune and FTSE firms still aren’t ready for GDPR, finds study

37 million Brits may seek personal data to be edited or deleted after GDPR, says study

Many of the largest companies in the UK have failed to fully grasp the importance of complying with the upcoming GDPR legislation, according to a new report from international law firm Paul Hastings.

The firm surveyed 100 FTSE 350 general counsels (GCs) and chief security officers (CSOs) and 100 Fortune 500 GCs and CSOs in the UK and the US in an attempt to reveal true cost of GDPR compliance ahead of the 25 May 2018 deadline.

It found that more than half of the companies across the UK and the US will not be ready for the new regulations by the May deadline. It said majority of Fortune 500 and FTSE 350 companies have underestimated their compliance with GDPR.

The study found that only 43% of companies (39% in the UK and 47% in the US) were setting up an internal GDPR taskforce.

A third claimed they were hiring a third-party to conduct a GDPR gap analysis (33% in the UK and the US). Only one in three (33% in the UK and 37% in the US) was hiring a third-party consultant or counsel to assist with compliance, it said.

This was despite most companies claiming that they were on track with their GDPR compliance. The survey revealed that 98% of Fortune companies and 94% of FTSE companies considered themselves to be on track for GDPR.

Partner and global co-chair of the privacy and cyber security practice at Paul Hastings, Behnam Dayanim, said: “Achieving GDPR compliance is an enormous task – one that in our experience almost inevitably requires dedicated resources and budget.

“Against that backdrop, the confidence among major corporations revealed in our survey seems mismatched with those same businesses’ reports of their implementation efforts.

“With so few companies undertaking key compliance measures to date, it will be a race to the finish line for those needing to meet the terms of this wide-reaching regulation. This unfortunately seems to be setting up a scenario for multiple investigations and enforcement activities once the implementation date arrives.”