The IAPP, which has more than 44,000 members worldwide, surveyed 550 of its members, 80% of which were from either the US or Europe. It found that just 44% of businesses believe that they are entirely compliant with the GDPR.
The survey found that almost 20% of businesses believe full compliance with the GDPR, which took effect on 25 May this year, is impossible.
"More than half the respondents subject to GDPR (56%) say they are far from compliance or will never comply," the survey report published by the IAPP (132-page / 5.83MB PDF) said.
The results of the survey suggest that many businesses believe that complying with some aspects of the GDPR, such as its data portability rules and consent regime, is easier than they had anticipated last year, while it also revealed that many businesses have appointed a data protection officer despite not believing they are legally obliged to do so.
The GDPR requires certain organisations to appoint a DPO and sets out how the DPO should operate. However, while 89% of the EU businesses and 67% of US companies surveyed said they had appointed a DPO in response to the GDPR, 48% of all respondents who said their employer had appointed a DPO in response to the GDPR said they had done so "even though they were not obliged because it serves a valuable function for the firm".
The survey also highlighted the impact that the GDPR had on the outsourcing market – 25% of respondents said they had switched to a different data processor due to the GDPR.
The IAPP said: "A 25% shift in any market can cause major disruption. And the future may be highly unstable for data processors who fall behind in their GDPR compliance efforts. Fewer than half of respondents are confident they will keep their existing processors, while 30% plan to change vendors. A meaningful 26% are still on the fence. This loudly signals that processors are well served to take the GDPR seriously if they’d like to hold on to their customers."
The survey also found that 89% of businesses rely on EU standard contractual clauses to transfer personal data outside of the EU. It is "far and away" the most popular tool for cross-border data transfers, the IAPP said. Just under half of the respondents said they utilise the EU-US Privacy Shield for data transfers. Both the Privacy Shield and EU standard contractual clauses are subject to legal challenge in Europe.
"Binding corporate rules, largely considered the 'safest' of transfer mechanisms, are only used by 28% of companies, reflecting the difficulty of getting them approved by an EU supervisory authority," the IAPP said.