SAS Releases Research on Organizational Readiness for GDPR

According to a new survey from SAS, less than half (45%) of respondents have a structured plan in place for compliance with the EU's new General Data Protection Regulation (GDPR) and more than half (58%) indicate that their organizations are not fully aware of the consequences of noncompliance.

GDPR will go into effect in 2018, making organizations accountable for personal data protection including how and where data is stored and how it is processed within the organization.

Todd Wright, senior product marketing manager, Data Management, at SAS, discussed the survey findings at the recent Strata Data Conference in New York. Companies now understand that this is really about data management and governance, and they are now trying to figure out to what they need to do to prepare, said Wright. The biggest problem is accessing the data, and defining what is personal data, and from there the right to be forgotten and consent management are probably going to be some of the issues related to GDPR, he added.

“If someone wants to have all of their records erased, that speaks right to data quality,” said Wright. “If a good view of all a person’s records at a company does not exist, that person will never be forgotten at an organization. And the second one is consent management. Sensitive data like medical records data on minors is going to be a big issue. That is what regulators are going to be going after first–organizations that really aren’t compliant for that really sensitive data.”

According to the survey, most respondents feel that GDPR will have a large impact on their organization. However, many respondents (42%) indicate that their organizations are not fully aware of this impact.

Only 45% of organizations have a structured process in place to comply with GDPR, but of those only 66% think that this process will lead to successful compliance. In fact, many admit that they do not know how to determine if they are GDPR compliant.

Understandably, large organizations (more than 5,000 employees) are better equipped to handle GDPR with 54% being fully aware of the impact, compared to just 37% of small organizations.

Only 24% of organizations make use of external consulting to become GDPR compliant, but those with a structured process in place use external consulting more often (34%).

And, notably, just 26% of government organizations are aware of the impact of GDPR, the lowest of any industry segment.

Under the GDPR, individuals have the right to request that their personal data be erased or ported to another organization. This brings up questions about the tools and processes organizations need to have in place. For 48% of the respondents, it's a challenge just to find personal data within their own databases (copied data sets, CRM data, etc.). In these cases, complying with GDPR regulations will be an even more serious task. Of the surveyed organizations, 58% have problems managing data portability and the so-called right to be forgotten. Controlling access to personal data is also a serious challenge. Large organizations and financial institutions have more difficulty finding stored personal data than other organizations.

To prepare for GDPR compliance organizations should look at their current data management and data governance procedures and see how that can be a complement to GDPR, and also use GDPR as blueprint for how to enhance data governance in the future. That may have been one of the bigger surprises from the research results, said Wright. Organizations are looking at GDPR and recognizing that they can achieve some benefit from it as well.

When asked about potential benefits of the GDPR, 71% of respondents said believe that their data governance will improve as a result. The survey also showed that 37% of organizations think that their general IT capabilities will improve as they seek to comply and 30% agree that complying with the GDPR will improve their image. Further, organizations believe that customers will reap the rewards of compliance efforts. The survey shows that 29% of organizations think customer satisfaction will be higher as they work toward GDPR compliance. Another 29% say their organizations' external value propositions will improve.

For additional survey findings and implications of the GDPR, download the e-book at

Related Articles

GDPR is still months away from going into effect but many professionals in the data security space are warning customers to act now to avoid pain later. Technology-wise, an individual's right to be forgotten may be one of the most vexing issues related to the new EU's General Data Protection Regulation (GDPR) which goes into effect in May, 2018, notes Pete Zimmerman, VP of client services and operations at Sonian, a public cloud information archiving company.

Posted October 20, 2017