Fortune and FTSE Companies Underestimate GDPR Compliance by May 2018, New Research Shows

December 15, 2017

  • 94% of FTSE 350 companies say they are on track for compliance, and 98% of Fortune 500 companies consider themselves the same

  • 47% of US companies have set up an internal GDPR taskforce

  • Only 10% of FTSE 350 companies are budgeting for GDPR

  • International law firm Paul Hastings surveyed GCs and CSOs in the UK and US to reveal true cost of GDPR compliance ahead of May 2018 deadline

Most FTSE 350 and Fortune 500 companies are underestimating whether they will be able to fully comply with the upcoming General Data Protection Regulation (GDPR) by May 2018, new research by international law firm Paul Hastings has shown.

See also here: Fortune and FTSE Firms to Spend Millions Gearing up for GDPR Compliance, New Survey Shows

The survey of 100 FTSE 350 General Counsel (GCs) and Chief Security Officers (CSOs) and 100 Fortune 500 GCs and CSOs reveals 98% of Fortune companies consider themselves to be on track for GDPR, with 94% of FTSE companies saying the same.

In both markets, although steps in the right direction are being taken, over half of companies across the UK and US aren’t readying themselves in time. Only 43% are setting up an internal GDPR taskforce (39% in the UK, 47% in the US), a third are hiring a third-party to conduct a GDPR gap analysis (33% across both locations) and only one in three is hiring a third-party consultant or counsel to assist with compliance (33% in the UK, 37% in the US).

Despite being one of the crucial requirements for GDPR compliance for any business involved in the ‘large scale monitoring of individuals’, hiring a Data Privacy Officer or additional privacy staff has only been actioned by 29% of UK GCs/CSOs and even fewer Fortune 500 companies (18%). More significantly, only 10% of UK companies have allocated budget for GDPR compliance.

Behnam Dayanim, partner and global co-chair of the Privacy and Cybersecurity practice at international law firm Paul Hastings, said: “Achieving GDPR compliance is an enormous task – one that in our experience almost inevitably requires dedicated resources and budget. Against that backdrop, the confidence among major corporations revealed in our survey seems mismatched with those same businesses’ reports of their implementation efforts.

“With so few companies undertaking key compliance measures to date, it will be a race to the finish line for those needing to meet the terms of this wide-reaching regulation. This unfortunately seems to be setting up a scenario for multiple investigations and enforcement activities once the implementation date arrives.”
The EU’s General Data Protection Regulation (GDPR) is coming into force in May 2018 and will affect any business which controls or processes the data of EU citizens, regardless of where the business is located. As part of the wide-reaching regulation, businesses can be fined up to 4% of global turnover should they fail to comply with GDPR.

At Paul Hastings, our purpose is clear — to help our clients and people navigate new paths to growth. With a strong presence throughout Asia, Europe, Latin America, and the U.S., Paul Hastings is recognised as one of the world’s most innovative global law firms.

About the survey

100 General Counsel/Chief Security Officers were surveyed from FTSE 350 companies in the UK and 100 General Counsel/Chief Security Officers were surveyed from Fortune 500 companies in the US in July 2017.


Please find a link to an infographic which visualises this data here: https://www.paulhastings.com/docs/default-source/pdfs/ph_gdpr-2.pdf

Practice Areas

Data Privacy and Cybersecurity



Corporate, Litigation, Real Estate, Intellectual Property, Life Sciences, and Employment

Becca Hatton


Katy Foster


Miranda Ward

Submission Requests

Firmwide Inquiries

Elliott Frieder

Get In Touch With Us

Contact Us