GDPR Benchmarking Survey

Complying with the most radical overhaul of data protection

January 2018

Fewer than 15% of organisations expected to be prepared for GDPR by 25 May. This report examines these matters and makes pragmatic recommendations on how to comply with the areas respondents feel present the greatest challenges. Most importantly, this report considers how privacy can become more than a compliance exercise; how it can become a real business asset and enabler, and maybe even a competitive advantage.


Our General Data Protection Regulation (GDPR) benchmarking survey was conducted across a sample of organisations and industry sectors in EMEA. The aim of this survey was to understand how organisations are preparing for GDPR compliance, how advanced their implementation plans are, and how confident they are of achieving their goals by 25 May 2018.

Our key findings

  • Readiness approaches: Organisations are taking a wide range of readiness approaches, driven by the combination of the potential for significant fines, the increased obligation to demonstrate proactive compliance and the complexity and ambiguity of some of the requirements. There is little correlation between organisation size (by headcount or revenue) and spend, nor any clear trends in different industry segments.
  • Privacy as an enabler: 61% of respondents see further benefits of remediation activities beyond just compliance. Of those, 21% expect ‘significant benefits’, including competitive advantage, improved reputation and business enablement. For example increased transparency requirements offer another excellent opportunity to engage with customers to demonstrate the measures the organisation is taking to protect their data. As well as ticking a compliance box, with the right engagement strategy the exercise can demonstrate data ethics, build trust with customers, and increase the consumer trust in the brand.
  • Time left to achieve compliance: Most organisations did not feel they have time to implement the necessary activities to achieve compliance before the effective date of the Regulation. Only 15% expect to be fully compliant by May 2018, with 62% instead opting for a risk-based, defensible position. The remaining 23% have even lower expectations for their compliance position.
  • Regulatory ambiguity and lack of guidance: The scope of the GDPR – covering organisations of all sizes and sectors that process personal data – leaves regulatory bodies with the difficult task of providing meaningful guidance that is individually relevant to such a wide audience. Respondents repeatedly raised the challenge of interpreting the Regulation text as a key issue, and welcomed further guidance from the Article 29 Working Party (WP29). Many organisations have therefore been left struggling to answer the question, ‘How far is good enough?’ when determining what to do.

Top 5 thematic considerations for implementing a GDPR programme:

  1. A wide range of stakeholder engagement is required. There are few compliance topics that have implications across such a wide range of areas including executive sponsorships and accountability from all business functions.
  2. It is important to drive towards collective outcomes. A clear, tangible and agreed target state across each GDPR area is required to bridge the gap typically seen between programme teams and the business.
  3. The Regulation encourages a risk-based approach. This can be applied across many aspects; from completeness of your data inventory, to which systems you proactively analyse and prepare so they can deal with rights, such as portability and erasure. Set tangible parameters.
  4. It is vital to ensure internal messaging is relevant such that everyone can see the importance of the topic.
  5. Make sure your programme includes the definition of a long term operating model that sets out roles and responsibilities such as how privacy risk is managed and how it is monitored and assessed. 
Did you find this useful?