In news that will probably surprise no one, a survey has found that few companies are complying with the requirements of the European Union’s new General Data Protection Regulation, which went into effect more than three months ago.

The research, which was conducted by data integration company Talend SA, found that while 98 percent of the 103 organizations that were contacted had updated their data privacy policy to conform with the new rules, 70 percent failed to provide data within the 30-day limit prescribed by the regulation.

Notably, only 35 percent of European companies — which are those most affected by GDPR – were able to comply with requests, versus 50 percent of those outside the EU. Overall, 70 percent of the companies contacted are based in Europe, 19 percent in North America and 11 percent in Asia/Pacific.

Retailers had by far the worst performance, with less than one quarter responding within 30 days. The best-performing segment – financial services – didn’t do much better with a 50 percent success rate.

One caveat to the study: The research was conducted between June 1 and Sept. 3, which makes comparisons difficult since the first companies were contacted barely a week after the regulation went into effect. The GDPR disclosure guidelines didn’t give Talend much leeway, said  Jean-Michel Franco, senior director of product marketing. “We had no choice, as GDPR gives one month to answer, plus two further months where necessary, taking into account the complexity and number of requests,” he said.

Talend said the study was intended to find out whether companies had updated their privacy policies in line with GDPR, fulfilled the requirement to give customers easy ways to request data, responded to requests in a timely manner and made that data portable.

The 30 percent of companies who did respond within the permissible time limit took an average of three weeks to do so. However, only seven companies responded within 24 hours. They were mostly streaming services, mobile banking and technology categories, while old-line brick-and-mortar firms fared far worst. “The research suggests that businesses that started out offline, and those that are hindered by legacy systems, may find GDPR compliance more challenging,” Talend said.

Targeted companies represented a variety of industries. Talend didn’t reveal the names of any of the firms that were contacted, but “most of them are widely known global brands, or European Fortune 50,” a spokeswoman said.

Among the anomalies researchers found were that four companies deleted accounts and data without asking permission and four appeared to have no idea what the term “personal data” meant. Nearly every company failed to fulfill the request for data portability, which allows people to securely move, copy or transfer personal data easily from one information technology environment to another.

An unspecified number of companies asked for additional personal information before failing to respond, a sign of poor data governance. One top financial firm responded by delivering printed pages via a secure mail courier, which is the definition of not portable. Only a handful of companies delivered what Talend called a “one-click, memorable customer experience.” Not surprisingly, they were companies with a strong technology focus, including Spotify AB, N26 GmbH and Garmin Ltd.

GDPR specifies penalties of €20 million (roughly $23 million) or 4 percent of an organization’s annual global revenue for each infraction, whichever is greater. That means that the surveyed companies would collectively be subject to a minimum of $1.6 billion in penalties. To date there have been no reports of successful prosecutions under the new guidelines, meaning that European regulators are, for now at least, leaving a considerable amount of money on the table.

Photo: Pixabay