For the over 250 organizations responding to DLA Piperʼs online survey tool in the last year, the average alignment score with all key international data privacy principles was 38.3%. Larger organizations reported average higher levels of data protection maturity than smaller companies (39% as against 33.5%), according to the results of the survey.

Companies failing to comply with the EUʼs General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) after its implementation in May 2018 could face fines as high as 4% of global annual turnover, DLA Piper notes. Yet it appears that many companies are still falling short of their data protection obligations under GDPR, according to the press statement. 

“The responses show that many organizations still have work to do on their data protection procedures. Any organizations operating in Europe will need to see major improvements in their score by May 2018 if they are to avoid potentially heavy financial penalties under the GDPR, not to mention serious reputational damage as people become more and more aware of their rights in this area,” said Patrick Van Eecke, Partner and Global Co-Chair of DLA Piperʼs Data Protection practice. “With more and more organizations putting data at center stage, data protection will become an increasingly prominent issue. It is vital that organizations invest now in the strategy and processes needed to help them to meet their obligations,” he added.

“As privacy requirements, such as privacy by design, data portability and extensively documenting a privacy program, become more complex, compliance demands significant operational work that takes time. In this sense, the results are not surprising. However, the time to step up compliance efforts is this year, not next,” said Jim Halpert, U.S. Co-Chair of DLA Piperʼs Global Data Protection practice.

DLA Piper launched the Scorebox in January 2016 to help organizations all over the world to assess their current levels of privacy maturity relative to industry peers. Respondents are asked a number of questions on areas such as storage of data, use of data and customersʼ rights, and provided with a report based on a percentage score system, along with recommendations.

The EUʼs GDPR will apply to processing carried out by organizations operating within the EU and to organizations outside the EU that offer goods or services to individuals in the EU. The U.K. government has confirmed that the U.K.’s decision to leave the EU will not affect the commencement of the GDPR.