Most organizations failed to meet the May 2018 deadline to comply with the launch of the European Union’s tough new data privacy rules, and the majority of them still find compliance a challenge more than one year on, according to a recent survey.

Furthermore, just under half (46 percent) say their organizations have had, on average, two reportable data breaches since the General Data Protection Regulation (GDPR) came into effect, with nearly one in six receiving a follow-up inquiry or inspection from a regulator.

The survey, carried out by the Ponemon Institute and sponsored by law firm McDermott Will & Emery, found over half (54 percent) of respondent organizations said GDPR implementation took longer than they had anticipated. Eighty percent said it was “equally” or “more difficult” to implement than other data privacy and security requirements.

In fact, only 18 percent of respondents are highly confident in their organizations’ ability to communicate a reportable data breach to the relevant regulators within 72 hours of becoming aware of the event—seen by 70 percent of respondents as the main GDPR security requirement they should principally address.

Almost half of reportable breaches were caused by negligent insiders, followed by outsourcing data to a third party and cyber-attacks. However, some 35 percent of respondents reported they did not know what caused the breach.

The survey, called “Keeping Pace in the GDPR Race” and based on the responses of 1,263 organizations, is a follow-up study to last year’s research, “The Race to GDPR.” In this year’s study, the authors expanded the research to include China and Japan alongside the United States and Europe.

The study highlights several interesting findings. For instance, despite the potential threat of large financial penalties (a maximum of 4 percent of a company’s global revenues), only 10 percent of respondents say they received a fine as a result of a data breach. The main damage, as reported by 43 percent of respondents, was a loss of customer and consumer trust, followed by loss of productivity (34 percent), legal action (33 percent), and reputational damage (33 percent).

The research also uncovered some important geographic trends regarding data protection preparedness. For example, more U.S. organizations have experienced cyber-attacks since the GDPR came into force than respondents in Japan, Europe, or China. This, in turn, has prompted more U.S. companies to hire external consultants to help investigate potential data breaches and hacks.

GDPR awareness is also much lower in Asia’s two largest economies. Nearly half (49 percent) of those Chinese respondents that are subject to the GDPR—and more than a third (36 percent) of Japanese—are still not familiar with the regulation. This is more than 10 percent lower than their counterparts in the United States or Europe. According to the survey, China has the lowest level of compliance with the regulation, with only 29 percent of Chinese respondents saying their organizations are fully compliant.

More generally, the researchers found the top barriers in achieving GDPR compliance (unchanged from last year’s findings) are the need to make comprehensive changes in business practices (as stated by 69 percent of respondents), unrealistic demands from the regulations and regulator (53 percent), and too little time to devote to maintaining compliance (52 percent).

The study also found IT security is typically the department that leads GDPR compliance (as stated by 21 percent of respondents), followed by compliance (20 percent), legal (19 percent), and IT (17 percent), with risk management taking charge in 8 percent of organizations surveyed.