Organisations are struggling to ensure they're compliant with the right to be forgotten, breach notifications and more.
GDPR is just days away, but organisations are still struggling to meet the requirements for compliance with the incoming data protection legislation.
The European Union's General Data Protection Regulation framework consists of new laws and obligations -- including those around personal data, privacy and consent -- and will apply across Europe and beyond from 25 May.
Those organisations found not to be compliant with GDPR could face fines if found to misuse, exploit, lose, or otherwise mishandle personal data. The financial penalty could potentially reach four percent of company turnover -- a significant amount for any organisation.
However, according to a report by global professional services and consultancy firm EY, two-thirds of organisations are still finding it a challenge to be compliant and much more needs to be done in order to meet the requirements.
In addition to this, of all those surveyed, the majority said it will take a "moderate effort" to implement GDPR requirements for addressing expectations of informing EU citizens where their personal data is processed and for what purpose.
"Regulations such as GDPR continue to be a significant challenge," said Chris Ritterbush, executive director at Ernst & Young LLP.
When it comes to verifying that third parties directly gathering personal information from EU citizens obtain consent -- as is dictated by GDPR -- none of the organisations surveyed said they have this capability in place.
Almost half suggested it is still going to take a lot to become compliant with this requirement --five percent of firms will be building capabilities from scratch, while 43 percent reveal it will require major enhancements to their existing capabilities.
One of the key components of GDPR will mean organisations that suffer a personal data breach will have to notify EU customers that an incident has occurred within 72 hours of learning about it.
However, even though failure to do this could result in a hefty fine, almost half of those surveyed said they need to implement major enhancements in order to meet this GDPR criteria. Just five percent said they already have the capabilities in place.
But the area where the highest number of organisations are having the most difficulty, according to EY, is the right to be forgotten, where organisations and third parties must erase personal data related to EU citizens upon request.
Of those surveyed, no organisations said they had this capability in place, while 14 percent said they need to build the capabilities from scratch and will have difficulty doing so.
Despite GDPR being just days away, the EY report suggests that organisations are still struggling to become compliant -- and the problem won't be resolved for some time.
"Given these challenges, paired with the broader impact of the regulation and the short two-year window for compliance, organisations will need to expend significant energy and effort in the coming year," said the report.
A recent UK government report suggested that under half of businesses are aware of the upcoming GDPR laws and what they mean for how information security is handled.