Skip to Main Content
Main Menu

TrustArc 2017 Privacy and GDPR Compliance Research Report

Annie Greenley-Giudici

As part of the TrustArc Privacy Risk Summit in May 2017, a new privacy study focused on U.S. private sector efforts to meet privacy mandates and the readiness of companies for GDPR implementation. To gather this GDPR compliance research, the online survey was fielded to 203 UK and 204 US privacy professionals at a group of small, mid-size, and large companies subject to the GDPR in a mix of industries.

  • Small: 500-1,000 employees
  • Mid-size: 1,000-5,000 employees
  • Large: Over 5,000 employees

All privacy professionals surveyed are responsible for data privacy at companies of at least 500 employees, all of which are required to meet GDPR compliance.

General Privacy Market Results

98% of respondents felt that the complexity of managing privacy is increasing. 56% felt managing privacy is becoming significantly more complex.

The primary privacy ownership is limited to a few groups.

In smaller companies, the legal department primarily handles ownership of privacy issues.

In larger companies, compliance tends to increase ownership of privacy.

The majority of companies report the need for technology to manage privacy is increasing, with 51% saying the need is becoming significantly greater.

Currently, most companies (66%) are using Governance, Risk, and Compliance (GRC) software, but a wide range of other options including specialized privacy software solutions (37%) are also popular.

Privacy budgets are also increasing for 97% of companies, with 47% saying their budgets are becoming significantly larger.

GDPR Compliance Research Results

For all companies responding, approximately 40% are still designing their GDPR plan and only about 10% have GDPR plans well underway.

A majority of both US and UK respondents haven’t yet begun implementing their GDPR plan (61% for US and 64% for UK).

Indicating that many companies have a significant amount of GDPR implementation ahead of them.

US and UK privacy professionals were asked where they needed the most help complying with data privacy requirements.

  • For US respondents, developing a GDPR plan topped the list at 39%, followed by addressing international data transfers at 36% and meeting regulatory reporting requirements at 30%.
  • For UK respondents, developing a GDPR plan topped the list at 27%, followed by conducting privacy risk assessments (PIAs and DPIAs) at 26% and addressing international data transfers at 24%.

GDPR Compliance Budgets

Responding companies have set aside relatively large budgets for GDPR compliance for 2017-2018.

For all companies responding, the #1 budget amount cited was between $100,000 to $500,000 (42%), with the #2 budget cited between $500,000 and $1,000,000 (23%).

GDPR compliance budgets of over $1 million accounted for 9% of small companies, 19% of mid-size companies and 23% of large companies.

Nearly 1 in 4 large companies plan to spend over $1 million on GDPR compliance.

However, with respect to GDPR plan spending, the US respondents expect to spend more than their UK counterparts.

  • 83% of US respondents and 69% of UK respondents expect GDPR spending to be at least $100,000 (74,000 GBP).
  • 40% of US respondents and 25% of UK respondents plan to spend at least $500,000 (370,000 GBP).
  • 17% of US respondents and 6% of UK respondents expect to incur costs of over $1 million (740,000 GBP).

GDPR investments will go to a wide range of initiatives including consultants, internal hiring, and additional technology and tools.

Privacy Program Implementation Results

Companies report needing help in a wide range of areas, topped by GDPR planning, international data transfer, compliance reporting, conducting PIAs and DPIAs, and data inventory.

Many GDPR implementation plans begin with conducting a data inventory; however, companies face three common challenges when it comes to data inventory.

The three challenges cited most by the privacy professionals surveyed were

  • difficulty to maintain and update privacy programs (57%),
  • lack of appropriate tools and technology (56%),
  • and lack of internal resources (54%).

Approximately one-half of the respondents indicated a need for technology and tools to automate and operationalize data privacy (48% for US and 50% for UK).

Additionally, 50% of the respondents preferred dealing with outside vendors that could provide both tools and technology, together with process/legal expertise.

In terms of desired capabilities for third party vendors, the most important in terms of priority ranking were knowledge of the customer’s industry (48%) and years of experience (39%).

98% of all of the US respondents and 92% of all UK respondents reported that they will invest in resources such as technology, consultants and new hires to help prepare for next year’s May deadline.

Key Topics

Get the latest resources sent to your inbox

Back to Top