U.S. companies haven’t learned much from the missteps they made while preparing for the European Union’s General Data Protection Regulation, says a new study on data privacy regulation compliance.

The Age of Privacy: The Cost of Continuous Compliance from Datagrail found that businesses without a European presence were not impacted by the GDPR. However, US businesses without GDPR are experiencing the same challenges that multinational companies did with GDPR.

The study also found:

GDPR Compliance Took Longer Than Expected

  • Only half of companies achieved self-reported compliance before the May 25, 2018 deadline.
  • Most companies took seven months or longer to achieve readiness.

Even GDPR Readiness is Costly

  • Two-thirds of companies assigned dozens, or even hundreds, of employees to manage GDPR compliance. Based on survey results, it's likely the average organization spent 2000 - 4000 hours in meetings preparing for GDPR -- more than a full year of work.
  • Half of privacy management decision makers spent at least 80 hours personally preparing for GDPR, and another 80 hours to sustain compliance -- also a full month of work.

Privacy Rights Requests Are Time-Consuming and Error-Prone 

  • Half of companies use manual processes to manage GDPR privacy rights requests, such as the right to be forgotten.
  • Two-thirds of companies have processed at least 100 requests in the past year, across dozens of business systems and third-party services, and most of them have at least 25 employees involved in request management. That's thousands of touch points with the potential to introduce human error -- the overwhelming majority of privacy professionals are working to reduce the risk of manual error in these requests.

CCPA Compliance Programs Face the Same Challenges as GDPR Programs

  • Two-thirds of privacy professionals believe it will take less than six months to prepare for CCPA, even though most reported it took seven months or longer to prepare for GDPR. Even worse, technology adoption rates for CCPA are lower than they were for GDPR -- companies are primarily training employees to manage privacy regulations -- increasing cost and risk of ongoing compliance.

Companies Will Be Challenged by the Future of Privacy Regulations

  • Most companies are approaching privacy regulations on a case-by-case basis; two-thirds of privacy professionals agree the systems they have put into place will not support new regulations.
  • 90% of companies plan to hire at least three new employees in the next two years to manage privacy regulations, but only one-third of companies are automatically updating their data inventory.