Only 29% of EU organizations are GDPR compliant

Six months after the deadline, only 29% of EU-based organizations have fully implemented the EU's General Data Protection Regulation (GDPR), leaving them susceptible to major penalties, according to a Thursday report from IT Governance.

GDPR came into effect on May 25, 2018, and applies to all organizations that handle data from EU residents, regardless of the organization's location or where the data is processed. If an organization fails to comply with GDPR, the maximum penalty is a fine of 4% of its global annual revenue.

SEE: EU General Data Protection Regulation (GDPR) policy (Tech Pro Research)

Nearly 60% of the 210 firms surveyed across EU industries EU said they were aware of the changes to data subject access requests (DSARs), but only 29% said they had plans to adapt their processes to address those changes. If DSARs are managed incorrectly, data subjects,file complaints, and fines can be issued, the report noted.

As part of GDPR compliance, organizations need to map their data and information flows to assess their privacy risks. Some 75% of respondents said they had conducted a data flow audit in some capacity, the report found.

In terms of security, 61% of organizations said they implemented basic controls to address data security and breach management, according to the report. And though just 29% of respondents said they considered themselves compliant with GDPR, more than 50% said they had procedures in place to notify their supervisory authority and individuals should a breach occur.

"It is discouraging to see so many organizations understanding the GDPR and its applicability to their businesses but failing to comply," Alan Calder, founder and executive chairman of IT Governance, said in a press release. "May 25 should have been the wakeup call, but it's not too late to begin your compliance journey. The time is now."

The big takeaways for tech leaders:

Also see