A General Data Protection Regulation (GDPR) study in collaboration with Legal 500

A global study commissioned by KPMG Global Legal Services and conducted by The Legal 500 of senior legal counsel at 448 institutions found a majority (54%) of global companies surveyed feel their businesses are not prepared for the EU’s General Data Protection Regulation (GDPR). While GDPR is EU legislation, it will apply to all businesses internationally that manage or handle EU citizen’s data. And time is pressing, because the changes will come into force on May 25, 2018. The regulation includes fines of up to the greater of €20 Million or 4 percent of corporate annual turnover for firms that do not comply.

The survey results take the views of legal counsel at 448 institutions globally and in-depth interviews with over 30 senior general counsels, to offer a view of the state of GDPR implementation worldwide. The research demonstrates the varied level of confidence businesses across the EU and other markets (e.g. Australia, Brazil, Russia, Taiwan and USA) have in their ability to meet the 25 May deadline for GDPR compliance. The countries, regions and jurisdictions covered in this survey include key markets both within and outside the EU including; Australia, Brazil, Germany, Ireland, Italy, Russia, Spain, Taiwan, United Kingdom and United States.

This report offers a view of how legal teams are addressing the challenges of GDPR and identifies a number of leading practices for getting organisations systems and processes onside.

Survey respondents identified the key challenges:

  • The measures must be implemented throughout the enterprise, not just in individual departments or by individuals.
  • The GDPR requires comprehensive control of all IT systems and data processing activities - including legacy data assets that may be unknown to anybody in the organization.
  • The legal department cannot guarantee the implementation of the rules alone, but must work seamlessly with all other departments.
  • The GDPR standardizes principles, not normative regulations. Without precedents, the interpretation of these principles involves a degree of uncertainty.

The tasks are extensive and timeline is short. Surprisingly an overwhelming majority of businesses both within and outside the EU, seemed to not have scrutinised third-parties (e.g. commercial suppliers) as a source of compliance risk to their institutions. Only 10% of the organisations surveyed have checked whether these third-parties are in compliance with GDPR. Under GDPR third-party data breaches could potentially have a significant financial impact on unsuspecting large organisations, who outsource their data processing.

As legal counsel reported in interviews for the survey, the best solution to these challenges may be to focus on the opportunities. By approaching GDPR as a chance to invest in a leading-edge global data protection management system, KPMG member firm legal teams can help their clients get more control over data and leverage that data to gain more strategic value.