Forrester report: About a third of companies say they’re ready for GDPR but may not be

With the launch of the General Data Protection Regulation (GDPR) only about a hundred days away, a key question is how many companies are ready to comply.

A recent report from Forrester Research, based on a survey of 3,195 security decision-makers in companies with more than 20 employees in the US and nine other countries, found that almost 30 percent of respondents think they’re GDPR-compliant.

But, Forrester analyst and report author Enza Iannopollo notes in “The State of GDPR Readiness: GDPR Readiness Progresses, But Strategies Depend Too Heavily on IT” [fee required], at least some of those firms have not actually done the work required, such as data discovery, data classification, data flow maps and gap analyses. Instead, she found, many companies appear to simply count on their IT departments to meet specific requirements, such as how to handle data breach notifications.

The big takeaway, she added, is “many companies are overstating their readiness” for GDPR. The report did not factor in the pending ePrivacy Regulation, since it has not yet been approved.

The Forrester survey found that only 26 percent of firms based in Europe said they were compliant. Another 22 percent of European companies expect to be compliant within eight months.

The report also notes that many companies don’t believe GDPR applies to them because they do not have offices in Europe. But, as Forrester notes, GDPR applies to them if they collect data on Europeans to build profiles or if they market to Europeans. “The percentage of companies not affected by GDPR is small,” the report says, without giving a number.

There is some disagreement among observers as to whether GDPR means that European citizens have to be on European soil when the data is collected, accessing their sites or apps through European IP addresses. But the physical location of the European citizen may eventually not matter, since it’s difficult to envision that GDPR enforcers will believe a citizen’s personal data rights end when they step across a border, especially when they have emphasized the portability of personal data.

Unsurprisingly, Forrester finds that companies in regulated industries like financial services are farther along in their compliance efforts, since they have established compliance and data protection teams in place. Those companies are also aware that, if they do not comply, they could be subjected to even more strenuous regulations than they currently obey.

Also unsurprisingly, firms in the media and retail industries are the farthest behind. And many companies are looking to tech when they should start with processes:

Too many organizations today rely mainly on technology to tackle GDPR compliance. Our research shows that adopting security controls such as encryption and tokenization, as well as acquiring controls for network security, tops the list of GDPR-related priorities. As a result, firms are neglecting requirements that hinge more heavily on processes, such as managing data subject rights and consent management.

One counter-productive circumstance, the report found, is that data protection officers often don’t have the control of the budget needed to comply with GDPR. Forrester also found that few firms have embodied “privacy-by-design,” where data privacy is embedded from the ground up in companies’ culture, technology, processes and business model.

GDPR, Iannopollo said, “requires a profound cultural change.”