Only five per cent of organizations claim to be ready for GDPR

26 April 2018

Research conducted by BSI, the business improvement company, has underlined the growing concern that European businesses are simply not ready for the General Data Protection Regulation (GDPR). Even though 97 per cent of organizations admit that the implementation of the GDPR will affect their business, just 5 per cent say they are fully prepared for the new data regulation, with 33 per cent stating that they are just over half way to compliance.

The GDPR comes into effect on 25 May 2018 and will require all organizations to comply with stricter rules concerning the data protection and privacy of data subjects (citizens) within the EU. Failure to comply could result in fines of up to €20 million or 4 per cent of an organization’s annual global turnover, with supervisory authorities expected to crack down hard to encourage greater compliance.


Just four weeks away from the deadline, the research from the Cybersecurity and Information Resilience division of BSI has found that European businesses are aware of the looming deadline – but far from ready. Over half of organizations surveyed highlighted their concern regarding the role of their employees in GDPR compliance, with one in five businesses revealing that they had experienced a data compromising incident in the past 12 months. The Data Protection Commissioner reported 2,795 valid data security breaches in 2017, an increase of 26% from 20161.

The research also revealed that: 

  • One in five senior managers are actively engaged with the GDPR on behalf of their organization
  • 36 per cent are allocating a substantial level of resources to meet GDPR requirements
  • 97 per cent of organizations admit that the GDPR will affect the way they conduct their business

Data Protection Officer (DPO)

While specific sectors (e.g. public authorities) and organizations engaged in high risk data processing are obliged to appoint a Data Protection Officer under the GDPR, the survey found that: 

  • Only 27 per cent of organizations have a DPO training programme in place
  • More than half of organizations do not provide data protection training to employees
  • 63 per cent of businesses have not assigned a DPO

Privacy Impact Assessments (PIAs)

An additional key requirement of GDPR is Privacy Impact Assessments (PIAs) (a risk-based assessment used to ensure that the rights and freedoms of individuals are protected when any processing of their data is performed by an organization), and alarmingly the research revealed that over 40 per cent of organizations surveyed weren’t aware that PIAs will be a mandatory requirement and only 12 per cent claimed to have a good knowledge of PIAs.

Commenting on the research, Stephen O’Boyle, Head of Professional Services at BSI, said: “There’s a lot of talk surrounding the GDPR but with less than one month to go our research shows that organizations are still unprepared and don’t fully understand what’s required of them. Becoming GDPR ready is less complicated, less expensive and less daunting than many businesses think.”

“Data processing is an issue for everyone and awareness levels are increasing – the recently published Data Protection Commissioner annual report highlighted that complaints had increased by 79 per cent compared to 20162 and this year it’s anticipated that this figure will be even higher. The new General Data Protection Regulation was set up to benefit everyone and having the right systems in place is not only good practice but will ensure that organizations build trust and transparency with their customers and minimise privacy and security risks for the future.” concludes Stephen O’Boyle.

BSI Cybersecurity and Information Resilience provides a range of solutions to help organizations become GDPR compliant including consulting, training, research, technical solutions and outsourced Data Protection Officer (DPO) services. For more information visit here.




Notes to Editor:

Over 1,800 European respondents took part in the research including participants from Belgium, France, Germany, Ireland, Italy, Netherland, Poland, Spain and the UK.

The research was carried out as part of the BSI Cybersecurity and information Resilience Path to GDPR compliance series which included webinars on the GDPR topics covering the Role of DPOs; 20 steps to achieving compliance; and Privacy Impact Assessments (PIAs).

Respondent industry sectors covered Aerospace & Defence; Chemical & Utilities; Education; Energy; Financial; Government; Healthcare; Information Technology; Insurance; Legal; Manufacturing; Retail; Telecommunications; Transportation & Distribution.

1/2 Statistics highlighted were published on 27 February 2018 as part of the Data Protection Commissioner 2017 Annual Report