Eighteen months after the GDPR implementation, PwC Luxembourg conducted a second survey to assess where the Luxembourg market stands, how data privacy challenges have been tackled and what changed since the first edition of the survey.  

PwC Luxembourg sent out 25 questions to Luxembourg players from different industries. Launched mid-January 2020, the survey was available to the respondents during one month; a total of 111 respondents took part.

PwC Luxembourg’s first survey, launched back in December 2018 and named “Six months into the application of General Data Protection Regulation (GDPR), Luxembourg market status: Smooth Sailing or Hot Water?”, was aimed at understanding the Luxembourg business environment’s reactions to the regulation six months after its entry into force. Results revealed that while the majority of respondents considered themselves “GDPR-ready” or “almost ready”, there was still work to be done, including in terms of risk management and data retention.

Eighteen months after the GDPR implementation, PwC Luxembourg thought it was relevant to conduct a second survey, entitled "18 months into the application of GDPR, Luxembourg market status: is it all Smooth Sailing now?" 

Frédéric Vonner, GDPR and Privacy Leader at PwC Luxembourg, explained: “As results show, Luxembourg organisations have embraced GDPR. The main conclusions of our first survey in 2018 remain similar to the survey results from this year, but whether this is a positive [development] or not is not entirely clear. While most of the entities we surveyed declare themselves as compliant with GDPR, when we dig deeper into the details we can see that there is still work to be done. There are two areas that are deserving of our attention: the limitation of the retention of personal data on the one side, and the risk and impact analysis as applied on the processing of personal data on the other hand".

Overall, the number of respondents declaring their (more or less) compliance with GDPR has increased slightly. Indeed, 91% of respondents across all the industrial sectors surveyed stated that they have implemented certain or most of the requirements, compared to 89% in 2018. Financial services industry respondents declared the highest level of compliance, at around 95%. 

In addition, more than 90% of respondents stated that they had identified the risks for data subjects, out of which 50% declared having mitigated them.

Similarly, 83% of respondents declared having defined retention periods, yet only 12% confirmed that these were properly enforced in their IT system.

Indeed, the same types of difficulties were mentioned in both surveys when it comes to the actual enforcement of the regulation. The top three challenges cited in 2020 were: understanding the processing activities; having sufficient staff involved; and the complexity of the technological aspects.

The full results of the survey “18 months into the application of GDPR, Luxembourg market status: is it all Smooth Sailing now?” are available at https://www.pwc.lu/gdpr-survey-2020.