“Confusion about the regulations remains a significant problem for many companies,” said Todd Thibodeaux, CompTIA president and CEO.

A full 52 percent of 400 U.S. companies surveyed are either still exploring the applicability of GDPR to their business; have determined that GDPR is not a requirement for their business; or are unsure.

Just 13 percent of firms say they are fully compliant with GDPR. Another 23 percent report being mostly compliant, while 12 percent say they are somewhat compliant.

“Only one in four respondents claim to be very familiar with GDPR,” Thibodeaux reported. “Some believe it applies primarily to companies in the EU; others, only to large multinational corporations. Alarmingly, three in ten companies believe GDPR does not go into effect until the end of 2018.”

Nearly two-thirds of firms are unaware of the hefty GDPR fine structure for non-compliance.

“With fines that could potentially reach the greater of 20 million euros or four percent of annual revenue, companies subject to the regulations are running a huge financial risk by failing to put a GDPR plan in place,” Thibodeaux said.

In preparing for GDPR, 22 percent of firms have developed a compliance plan. A similar percentage (21 percent) have conducted data audits and readiness assessments, including review of existing privacy policies, terms of services and consent protocols.

Despite the time and cost associated with GDPR compliance, most U.S. companies acknowledge receiving secondary benefits from the exercise. Nearly one in three companies see value in conducting an internal data audit; while 29 percent cite the benefits of reviewing and updating their data breach notification plan.

GDPR may have prompted some companies to examine their approach to data governance. Though relatively few companies (12 percent) have dedicated data governance officers or chief data officers that may change. One in four large companies surveyed indicate a strong likelihood to hire a data governance or chief data officer within the next two years.

The Comp TIA survey also finds that U.S. companies are split on whether GDPR will impact their business opportunities in the EU. About one-third of the firms surveyed do not believe GDPR will have an impact on their current or future approach to business in the EU. Another third indicate GDPR may negatively impact their desire to engage in business activities in countries governed by GDPR. The remaining one-third of firms are unsure.

The Comp TIA research brief “The State of GDPR Preparedness in the U.S.” is based on the results of an April 2018 online survey of executives and professionals with some level of data responsibility for their organisations. A total of 400 individuals from small, medium and large companies across every industry sector of the U.S., economy participated in the survey.