With only one year to go before the European Union General Data Protection Regulations (GDPR) deadline, many US businesses with European customers are not fully prepared to comply with the new laws, which include ‘Right to be Forgotten’ customer consent mandates and regulations on how customer data is handled. US companies, or any organization that stores data on EU citizens, will face hefty fines or lawsuits if they don’t fully comply – up to 4% of annual turnover or €20 million, whichever is greater.

US large-company CIOs saying they are well-briefed on the impending laws, up from 73%, when asked the same question last year. However, only 60% have detailed plans in place to address the new laws’ requirements. This is up from 33% from last year’s survey, but suggests there is still significant work ahead.

94% of the large US company CIOs surveyed say their companies have personally identifiable information (PII) on EU customers, making the new mandates applicable to them.

Particularly challenging is the mandate to obtain customer permission to use PII in application testing, a critical part of software development. 55% of US firms have a plan in place to address this, but nearly one-third say they don’t fully understand the impact of this ruling.

The data complexity of modern systems is also an issue, as 85% admit it’s sometimes difficult to know exactly where all their customer data resides, an increase from last year’s survey with 78% then admitting that difficulty.

“US organizations are heading in the right direction on GDPR compliance, but there is still work to be done to improve data governance capabilities,” said Chris O’Malley, CEO of Compuware. “Manual processes that are used to locate and protect customer data must be replaced with automated capabilities that enable businesses to quickly, accurately and visually manage data privatization and protection.”

The findings also reveal US organizations are better prepared for the GDPR than their European counterparts. Compared to the 60% of US companies saying they have detailed and far-reaching plans in place, only 19% of UK companies have such plans prepared, a modest improvement of only 1% since last year.

US respondents ranked their biggest GDPR compliance hurdles to overcome as follows:

• Design and implementation of internal processes (65%)
• Securing customer consent to use their personal data and handling the process of data withdrawal if requested by the customer (64%)
• Ensuring data quality (52%)
• Cost of implementation (43%)
• Data complexity (41%)