Nearly a third of organisations in Europe are still not prepared for the European Union’s General Data Protection Regulation (GDPR), despite regulations coming in three months ago.

This is according to cybersecurity company Imperva, which conducted the survey on personal data rights and GDPR compliance at the Infosecurity Europe trade show.

Furthermore, the survey revealed that 16% of organisations did not feel confident that they would pass their first GDPR audit, with less than half of respondents very confident they would pass the audit.

GDPR compliance: The risks of not meeting law’s requirements

By not complying, companies could be putting themselves at risk of receiving financial penalties, with possible fines of up to €20m, or 4% annual global turnover, depending on the nature of the breach and the size of the organisation.

CTO of Imperva Terry Ray is not surprised by the results:

“The deadline has now come and gone, yet the study shows that many organisations aren’t sure they have achieved GDPR compliance. Any company that put GDPR off until the last minute now realises compliance cannot be achieved overnight. It does not surprise me that many organisations feel unsure about the idea of a GDPR audit. The truth is many would fail.”

 The survey also asked if respondents knew where users’ personal data was stored on their systems, and although more than a third of  said that they were, more than half said they would need an extra three months to get their data storage in order.

Group CISO at security services company Falanx Group Tony Richards said:

“The results don’t surprise me as an indication of the state nationally. Organisations do seem fairly polarised on GDPR, with many businesses, especially SMEs either ignoring it, or buying some basic policy packages peddled by “GDPR Experts” and thinking that they are covered. On the other hand, you have organisations who are either using qualified consultants or investing internally to ensure that they are compliant. I think it boils down to whether the organisation, culturally, is customer centric and therefore they see value in protecting their customers privacy, or if they see it as a compliance issue with the bare minimum to be done, if at all.”