94% Of U.S. Companies Are Ill-Prepared to Comply With GDPR Requirements
Data privacy regulations like CCPA and GDPR continue to be strict. And newer regulations are being drafted or coming into existence. How compliant are U.S. companies with these laws? And how do they compare with Q1 2022 findings? CYTRIO tried to find out in its recent quarterly report.
As companies navigate a fast-changing and unpredictable business landscape, customer data privacy remains one critical element they cannot ignore. Data privacy regulations like GDPR remain as stringent as ever while new laws, as well as drafts, come into existence. According to Gartner, 65% of the world’s population’s data will be covered under privacy regulations.
So, how prepared are American companies to comply with these laws? CYTRIO published a quarterly report for Q1 2022 a few months ago, which showed that 90% of companies were ill-prepared to comply with CCPA requirements. The company recently published a report for the second quarter, which showed that not much progress had been made. According to the study, 91% of companies are non-compliant with CCPA, and 94% are unprepared for GDPR.
The following are the study’s findings in detail.
See more: Data Protection Commission Fines WhatsApp €225 Million for Breaching GDPR Laws
Few Companies Are Compliant With GDPR and CCPA Requirements
The study found that by the end of Q2, 91% of U.S. companies that must comply with CCPA were either partially or non-compliant with the requirements, especially when managing data subject access requests (DSARs). It was also seen that more than 50% of companies that acknowledged in their privacy policy that they need to comply did not provide a mechanism for customers to exercise their data privacy rights.
Similarly, the study found that 94% of companies that must comply with GDPR were partially or non-compliance with the requirements. They also used error-prone or manual processes when managing DSARs.
In comparison, 90% of respondents were non-compliant with CCPA, while 95% were unprepared for GDPR requirements.
B2C Companies Are More Compliant Than B2B Companies
The study found that when comparing B2C and B2B businesses, B2C companies were better prepared to comply with CCPA. While 47.3% of B2C companies did not provide a mechanism for consumers to exercise their data privacy rights, 52.23% of B2B companies did not offer it. Similarly, B2C companies were better prepared to comply with GDPR requirements than B2B companies. In fact, B2C companies were two times more willing to implement a data privacy rights management automation solution than B2B companies.
In comparison, 45.39% of B2C and 49.64% of B2B companies were non-compliant with CCPA in the first quarter. Similarly, 9.09% of B2C and 3.28% of B2B companies were willing to implement a privacy rights management automation solution w.r.t. GDPR.
Further, the study found that both large and small companies were poorly prepared to meet CCPA requirements. That said, larger companies deployed CCPA data rights management automation solutions more than smaller companies. This is likely because they receive higher numbers of DSARs due to the fact that they collect and process more personal data.
CCPA preparedness by company size
Source: State of CCPA & GDPR Privacy Rights Compliance Research Report — Q2 2022
Top Three Compliant Verticals Constitute More Than Half of Companies Researched
According to the study, the top three compliant business verticals remained the same from Q1. These verticals were business services, retail, and finance, which also made up 55% of the companies researched. This is important as CCPA is agnostic to industry verticals in a broad sense, and all companies should evaluate whether they should comply with CCPA according to the guidance in the regulation.
Percentage of Companies With a DSAR Automation Solution Has Reduced
In Q1, the study found that only 10% of the surveyed companies deployed a CCPA DSAR management automation solution. However, in Q2, this reduced to less than 9%. B2C companies were two times more likely to deploy a GDPR DSAR automation solution than B2B companies. Further, both large and small companies were ill-prepared for GDPR, with 94% relying on manual processes.
According to 63% of companies, the cost was the top reason for not implementing an automated solution. This was followed by complexity (22%). This implies that the next-generation privacy management solutions that focus on ease of deployment, simplicity, and fast time to value may have better acceptance.
See more: Allegations of Behavior Profiling for Ad Targeting Lands Amazon $888M in Record GDPR Fines
Slightly Compliant Groups Are Moving Toward Automation
The study investigated a random sample of somewhat compliant (manual processes) companies from the two quarters to see what percentage of them moved to either automation or non-compliant groups. It was found that 3.5% of companies in this group were moving toward automation. About 5% of B2B companies in this group from the first quarter cohort deployed an automation solution, while 2% of B2C companies did so. Similarly, 5% of large companies from Q1 deployed an automation solution while 2% of medium-sized companies did so.
The study also investigated a random sample of non-compliant companies from the two quarters to see what percentage had moved to somewhat compliant or automation groups. It was found that 6% of companies had moved to the partially compliant group. About 9% of B2B companies in this group moved to the somewhat compliant group, while 3% of B2C companies did so. Similarly, 4% of large companies from this group moved to the partially compliant group, while 8% of medium-sized companies did so.
Conclusion
We can see from the study that most companies are still not compliant or partially compliant with GDPR and CCPA requirements. While a few non-compliant and somewhat compliant companies are slowly moving up the maturity curve toward total compliance compared to the first quarter of this year, more efforts are needed to stay compliant. GDPR non-compliance-related penalties have already crossed $100 million this year. With newer data privacy regulations coming into existence across more countries and geographies, companies must take suitable measures now, without which compliance will only become more challenging and penalties heftier.
What steps have you taken to stay compliant with data privacy regulations? Let us know on Facebook, Twitter, and LinkedIn.
MORE ON GDPR, CCPA, AND PRIVACY REGULATIONS
GDPR Turns Four: Experts Lay Down the Challenges That Lie Ahead
5 Best Practices To Implement for Data Privacy And Protection
Meta Fined $18.6M Under GDPR for Failing to Protect User Data
