Corporations in the U.K., U.S. and EU are preparing for the GDPR at vastly different speeds.
Here's a fact that will leave many scratching their heads: the corporations most actively preparing for the European Union's (EU) General Data Privacy Regulation (GDPR) hail from the one country looking to greatly distance itself from the European continent.
Despite a looming Brexit, U.K. corporations are leading the way with GDPR compliance, with 40 percent having begun GDPR preparations, compared with 28 percent in the EU and 5 percent in the U.S., according a survey of over 800 corporate IT professionals across the three regions conducted by IT community organization Spiceworks. In addition, the survey found that 5 percent of organizations in the U.K. are fully prepared for the regulation, more than double the amount in the EU and U.S.
Though the U.K. may decide to implement its own data privacy regulation once it leaves the EU as planned in spring 2019, a year after the GDPR's early 2018 implementation, U.K. corporations that store, process or collect any EU citizens' personal data will be bound to comply with the GDPR, due to the regulation's extraterritorial reach. Peter Tsai, a senior technology analyst at Spiceworks and author of the report detailing the survey's findings, noted that the higher level of preparation in the U.K. is in large part due to the expected impact of the impending Brexit. By focusing on the GDPR now, he explained, U.K. organizations are looking to free up employees tasked with regulatory compliance to grapple with potential new laws and regulations the U.K. will pass once untangled from EU jurisdiction.
Tsai added that he believed the U.K. was moving quickly because "there aren't as many consultants that are up to date on, and could help with, GDPR compliance" as there are in the EU. U.K. organizations, therefore, needed to take extra time to prepare and understand the regulation.
The U.K.'s focus on the GDPR stands in contrast to the EU, where the survey found only 23 percent of corporations plan to begin preparing for the GDPR within the next three to 12 months, while 14 percent havs no set plans to prepare as of yet.
Tsai linked the EU's slow pace to the fact that its local organizations are accustomed to "treating data more carefully and thoughtfully" than those in other countries, and would therefore have to spend far less time coming into compliance with the GDPR.
Tsai said U.S. organizations face the biggest hurdle with GDPR compliance because many "don't even know they need to comply, and they aren't following EU regulations for data privacy already, so the gap from where they are and where they need to be is greater than their EU counterparts."
The survey found that U.S. organizations were the least knowledgeable about GDPR's effects on their businesses, though a majority in the U.K. and EU were likewise unaware of the regulation's repercussions as well. While 43 percent of U.K. professionals were informed about the GDPR's impact on their businesses, only 36 percent in the EU and 9 percent in the U.S. knew the same.
For Tsai, the confusion over the impact and compliance requirements of the GDPR is due to the regulation's complexity and scope. "This regulation is unchartered territory for some companies that have never seen a regulation like this before, especially in the U.S."
He noted that the GDPR can also be vague in detailing concrete actions companies can take for compliance.
"Just reading the regulation you don't know what solutions you need to buy, what type of training you need to give to your end user, what type of data practices you need to follow, or what the best practices you need established," he added.
Contact Rhys Dipshan at firstname.lastname@example.org. On Twitter: @R_Dipshan.