This is the follow-up study to last year’s research, The Race to GDPR. In this year’s study, we expanded the research, for the first time, to include China and Japan in addition to the United States and Europe. A total of 1,263 organizations are represented in this study.
The uniquely demanding European Union (EU) General Data Protection Regulation (GDPR) came into force on May 25, 2018, virtually transforming how organizations in every industry handle personal data. This study reflects practical difficulties and regional differences in levels of adherence to GDPR across Europe, the US, China and Japan.
Sponsored by law firm McDermott, Will and Emery LLP and our strategic alliance MWE China Law Offices, this follow-up research tackles the ongoing challenges in the wake of GDPR and the practical difficulties organizations face despite their dedication to implementing the new requirements. Participants in this study work in a variety of departments including IT, IT security, compliance, legal, data protection office and privacy. All organizations represented in this research are subject to GDPR.
Executive Summary: GDPR Progress and Data Breach Management
GDPR work is ongoing as most organizations did not meet the May 25, 2018 deadline. Many organizations are renewing their GDPR budgets accordingly. Most organizations represented in this research report that GDPR took longer than they had anticipated (54 percent of respondents) and that it was equally or more difficult to implement than other data privacy and security requirements (80 percent of respondents). Most organizations have a GDPR budget (72 percent of respondents) About a third of these respondents say the budget will be renewed annually (35 percent of respondents) or continue indefinitely (24 percent of respondents).
About half of the respondents say their organizations had GDPR data breaches that must be reported to regulators. Forty-six percent of respondents say their organizations had an average of approximately two reportable data breaches since GDPR came into effect and about one in six received a follow-up inquiry or inspection from the Regulator. Thirty-nine percent of respondents in US organizations and 45 percent of respondents in European organizations say they reported a personal data breach to a Regulator.
Data breach reporting under GDPR continues to be a major challenge across the board for almost all organizations, regardless of region. Only 18 percent of respondents are highly confident in their organizations’ ability to communicate a reportable data breach to the relevant regulator(s) within 72 hours. This suggests that early breach awareness and identification, even on a preliminary basis, continues to be a major difficulty with more help needed.
More US organizations reported GDPR cyberattacks than other regions. Respondents in US organizations say they experienced more cyberattacks (45 percent) under GDPR than respondents in European (34 percent), Japanese (38 percent) and Chinese organizations (31 percent).
More US organizations than European and Chinese organizations engaged an external cybersecurity service to investigate GDPR security incidents. The use of outside forensic vendors to investigate cyberattacks is higher in the US (44 percent of respondents) than in European (40 percent of respondents) and Chinese (25 percent of respondents) organizations. Surprisingly, 47 percent of Japanese respondents used forensic vendors, which is more than US organizations. Greater use of external forensic organizations likely identifies cyberattacks earlier and more accurately than the use of internal IT resources alone. As Europe and China catch up with the US experience of data breach management, we would expect the reported percentage of GDPR data breaches due to cyberattacks and the use of outside forensic firms to increase.
Many respondents from the US, Europe and Japan engaged external cybersecurity services. Forty-seven percent of Japanese respondents and 44 percent of US respondents say their organizations used an external cybersecurity service provider to investigate GDPR data breaches or cyberattacks. Forty percent of EU and 25 percent of Chinese respondents say their organizations engaged such a service. Of these respondents, 65 percent of US, 56 percent of European and 55 Japanese respondents say the work was conducted under litigation or attorney-client privilege.
Cyber risk insurance was obtained by approximately a third of the organizations, and of those, less than half say that their insurance covers GDPR fines or penalties. Approximately a third of respondents report that their organizations have insurance that covers cyber risks, and 43 percent of those respondents say their cyber insurance policy covers GDPR fines or penalties. The types of incidents most often covered by cyber insurance policies are external attacks by a cyber criminal (62 percent of respondents), human error, mistakes and negligence (41 percent of respondents), and malicious or criminal insiders (38 percent of respondents). However, 10 percent of respondents do not know what their cyber risk insurance policy covers.
A surprisingly high percentage of respondents say their organizations appointed a Data Protection Officer (DPO) under the GDPR, and about half of the non-European respondents say they appointed an EU Representative. These high numbers are surprising because there are notably strict criteria for appointing DPOs and EU Representatives. These findings, however, may also include voluntary appointments for these positions.
United States and European Findings
More than half of respondents in US organizations apply GDPR data subject rights to both US and European employees. Fifty-seven percent of these respondents say their organizations do so because they want to take a global approach, while about half of these respondents (49 percent) believe it is required by the GDPR.
More US respondents than European respondents say compliance with GDPR will assist in their compliance with the California Consumer Privacy Act (CCPA). Forty-six percent of US respondents say compliance with GDPR has helped define the strategy and overall approach to their compliance with the forthcoming California Consumer Privacy Act (CCPA) and other US state privacy laws, while 30 percent of European respondents say this is the case. Forty-three percent of US respondents and 33 percent of European respondents say compliance with the CCPA and other US state privacy laws will cause their organizations to re-evaluate their compliance position under the GDPR.
China has the lowest level of compliance with GDPR. Only 29 percent of the Chinese respondents say their organizations are fully compliant with the GDPR, more than 10 percent lower than what respondents in US and European organizations are reporting. Fifty percent of Chinese respondents say GDPR is as difficult to implement as other data privacy and security requirements.
Chinese respondents use internal resources to respond to data breaches, rather than external ones. Only 25 percent of Chinese respondents use external cybersecurity services to investigate data breaches, which is significantly less than other countries.
Chinese respondents’ means of compliance under the GDPR lags behind US and European respondents. Fewer Chinese respondents take measures in several key areas to maintain GDPR compliance compared to US and European respondents, including localization, document retention and creating a data map showing data flow and process. Only 2 percent of Chinese respondents have evaluated their relationships with third-party vendors, in contrast to the 45 percent of respondents in US organizations and 30 percent of respondents in European and Japanese organizations. This is likely due to differences in data transfer rules and China’s data security laws.
Unlike US and European respondents, fewer Chinese organizations report they have purchased cybersecurity insurance. Only one-in-five Chinese respondents (19 percent) report that their organizations have insurance covering cyber risks. Fifteen percent of these respondents are not sure what types of incidents their cyber insurance policies cover, which is higher than the percentages from the other jurisdictions.
Most respondents say their organizations have not achieved full compliance with GDPR. Only 32 percent of Japanese respondents say their organizations have achieved full compliance with GDPR. Forty-one percent of Japanese respondents say the GDPR is as difficult to implement as other data privacy and security requirements (e.g., Japanese Data Protection Legislation or China’s cybersecurity law).
Japanese respondents adopt measures to prevent and respond to data breaches—but they are not as regular with assessments. Forty-seven percent of Japanese respondents say they use external cybersecurity services to investigate data breaches, which, as noted, is more than what respondents in US and European organizations report. Less than half of Japanese respondents (43 percent) regularly conduct testing, assessments or evaluation of the effectiveness of technical and organizational measures for ensuring the security of the processing. In contrast, 65 percent of respondents in China and 54 percent of respondents in European organizations take such security actions.
Japanese respondents’ awareness in complying with the GDPR also lags behind US and European respondents. Japanese respondents say their organizations take measures in several key areas to maintain compliance compared to what respondents in the US and Europe report. These actions include introducing or updating document requirements (39 percent of respondents), creating a data inventory (46 percent of respondents) and investing in new technologies or services (39 percent of respondents), but this is less than reported for US, European and Chinese organizations.
Read the complete findings at the McDermott, Will and Emery website.