Sharp Divide As 65% Of Companies Aware Of EU Privacy Changes Are Already Preparing With 21% Setting Aside More Than $0.5 Million to Comply

SAN FRANCISCO, November 5 2015 – New research out today shows that only half of U.S. based businesses are aware or preparing for the pending EU regulation on data privacy. The General Data Protection Regulation (GDPR) is slated to become law by the end of 2015 and will mandate that all companies with EU customers follow the new rules wherever they’re based.

The research revealed the discrepancy between businesses who were unaware of the pending regulation and a smaller more informed group of companies who have set aside in excess of half a million dollars to address the necessary changes.

TRUSTe CEO Chris Babel said, “While the surprise dismissal of the Safe Harbor agreement has caused uncertainty for thousands of companies, this is the tip of the iceberg compared to the sweeping and stringent changes about to be adopted by EU regulators.

“The GDPR represents the most significant global development in data protection law in the last twenty years and for many US companies will require a complete restructuring of the way they currently collect, store and transfer personal data. Despite over four years of high profile negotiations, half of companies are still unaware and there is a worrying chasm between those who are actively preparing and those blind to the changes ahead.”

Detailed findings

The EU Data Protection Regulation Awareness study was commissioned by TRUSTe the leading provider of data privacy management solutions. The research was conducted via an online survey from September 18 – October 6, 2015 using a representative sample of 202 professionals with knowledge of data privacy from companies with >250 employees in U.S., UK, France and Germany.

Awareness was the highest amongst financial services companies (58%) and lowest amongst tech companies that are some of the greatest users of data (43%). Companies with mature privacy programs (10-25 privacy employees) had the highest awareness. There was surprisingly no significant difference in awareness between the US and businesses based in the UK, France and Germany.

Of those aware of the GDPR, 73% agreed it was the most important change in data privacy regulation in the last 20 years and two thirds (65%) are starting to prepare even before the final law is agreed:

  • 83% had already allocated budget with 21% allocated $0.5 million or more to address the changes
  • 56% placed this currently ‘High’ or ‘Very High’ on their Corporate Risk Register
  • 43% identified a need for technology solutions to meet compliance requirements

Even though this survey was conducted before the European Court of Justice ruling on the validity of the Safe Harbor agreement, there is still a high belief that the new legislation will have teeth with 77% thinking that it will be actively enforced by EU regulators. 82% think it will be a higher enforcement priority than the EU Cookie Directive and 76% agree they will spend more on GDPR compliance than for the EU Cookie Directive.

While the top concerns were the new penalties (42%) and tighter consent requirements (37%), the good news is that around four out of five companies (82%) felt the changes would have a positive impact on consumer data protection.

This research will be presented at the EU Data Protection 2015 Conference in San Francisco on December 8. For more details and to register see


About the EU General Data Protection Regulation

The European Commission first proposed sweeping changes to EU data protection law in January 2012. After nearly 4 years of debate the proposal has now reached the final stage of negotiations between the European Commission, the European Parliament and the Council of Ministers and is expected to be agreed by the end of 2015 with a two-year implementation period. The GDPR will significantly change the landscape of EU privacy and data protection in several key areas, including: substantial new penalties of up to €100 million, or 2-5% of annual worldwide turnover, whichever is greater; increased territorial scope, impacting hundreds of thousands of businesses including many outside the EU; tighter requirements for obtaining valid consent to the processing of personal data; new restrictions on profiling and targeted advertising; new data breach reporting obligations; direct legal compliance obligations for “data processors;” and extended data protection rights for individuals, including the “right to be forgotten”.


About TRUSTe

TRUSTe powers privacy compliance and trust by enabling businesses to use data across their customer, employee and vendor channels. We have nearly 20 years experience and a team of over 150 professionals dedicated to providing data privacy management solutions and services, including assessments, certifications and our SaaS-based Platform. The Data Privacy Management Platform provides control over all phases of privacy; from conducting assessments and implementing compliance controls to managing ongoing monitoring. Companies worldwide rely on TRUSTe to minimize compliance risk and protect their brand. See


For media inquiries, please contact:

Eleanor Treharne-Jones, TRUSTe

+1 (415) 766 6478