A majority of data privacy professionals have concerns about the costs and complexity of complying with the EU General Data Protection Regulation (GDPR) and recommend organizations sign-up for the proposed EU-US Privacy Shield, according to a recent a Baker & McKenzie survey.

The Firm's 2016 EU GDPR and EU-US Privacy Shield Survey captures the views and expectations of over a hundred senior privacy professionals regarding the GDPR and EU-US Privacy Shield. This research was carried out last month during the International Association of Privacy Professionals’ 2016 Global Privacy Summit in Washington, DC, one of the largest privacy law conferences in the world.

“I think the survey responses clearly demonstrate that the majority of professionals in the privacy industry feel that the GDPR and Privacy Shield represent a call-to-action for organizations generally,” said Theo Ling, who chairs Baker & McKenzie’s Global Privacy and Information Management Steering Committee.


According to the survey, around 60-70 percent of respondents believe that organizations will need to spend at least some, if not significantly, more budget and effort to comply with the GDPR. In particular, around 70 percent of respondents believe that organizations will need to invest additional budget/effort to comply with the consent, data mapping and cross-border data transfer requirements under the GDPR.

In addition, around 45 percent of respondents indicated that they either do not have the tools to ensure that their organization complies with the main requirements under the GDPR, or else could only obtain such tools at significant cost.

The survey also explored respondents’ familiarity with and opinions on specific requirements under the GDPR, including its consent, data mapping, cross-border transfer, accountability, information security and privacy impact assessment requirements. Roughly a third of respondents agreed that the GDPR represents a "Global Game-Changer."

“Given the severe penalties of up to EUR20 million or 4 percent of total global annual turnover in fines for non-compliance under the GDPR, organizations would be well-advised to begin taking steps to ensure that they understand and comply with the requirements under the GDPR,” noted Dyann-Heward Mills, a Data Protection Partner in Baker & McKenzie’s London office. To assist organizations in getting ready for the new rules under the GDPR, Baker & McKenzie has prepared the GDPR Game Plan.

Privacy Shield

The survey also homed in on respondents’ views of the EU-US Privacy Shield, the proposed successor to the EU-US Safe Harbor Program which was invalidated in October, 2015. The vast majority of survey respondents indicated that they were familiar with the EU-US Privacy Shield and some interesting insights emerged from their responses. In particular, the majority of privacy professionals who responded recommended that organizations sign up for Privacy Shield and implement data transfer agreements in the interim before the program is validated.

“It is noteworthy that a majority of respondents indicated that they would recommend that organizations should self-certify to the Privacy Shield, as it suggests that Privacy Shield will have a strong participation and following,” observed Brian Hengesbaugh, who chairs Baker & McKenzie’s Global Data Security Steering Committee and served on the core team that negotiated the U.S.-EU Safe Harbor Privacy Arrangement.


“All in all, the survey responses provide a snapshot of privacy professionals’ views of the GDPR and Privacy Shield prior to their implementation,” said Jonathan Tam, an Associate in the Information Technology and Communications Practice Group who helped to develop the survey and report. “It will be interesting to see how these views evolve once the regimes take effect.”

Click here for a complimentary copy of Baker & McKenzie’s 2016 EU GDPR and EU-US Privacy Shield Survey Report.

Explore Our Newsroom