Despite going into effect over a year and a half ago, many corporations are still lagging behind when it comes to complying with the General Data Protection Regulation, or GDPR, the European Union's landmark data protection regulation.

According to a recent study, “Keeping Pace in the GDPR Race: A Global View of GDPR Progress in the United States, Europe, China, and Japan,” a quarter of companies asked said they had a low degree of confidence in their readiness and ability to respond to a GDPR data breach.

A small percent, 18 percent of respondents, said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it.

More than half of companies interviewed for the report – 54 percent – said GDPR implementation took longer than it expected; nearly half - 45 percent - said they had an average of two reportable data breaches since GDPR came into effect.

That number, perhaps unsurprisingly, was even higher in the U.S., where respondents said their organizations had an average of 2.49 breaches, post-GDPR.

Some of the biggest causes of the breaches occurred as a result of the negligent insider or by complications stemming from outsourcing data to a third party.

For the report, carried out by the Ponemon Institute and sponsored by two law firms, McDermott Will & Emory (WME) and WME China Law Offices, the authors contacted 1,263 organizations in the U.S., Europe, China, and Japan.

According to the report, about a third of the organizations acquired cyber risk insurance, partially as a means to address GDPR. 43 percent of those corporations said their plan covers GDPR fines or penalties. While 10 percent of insurance holders said they weren't sure exactly what their policy covers, 62 percent said their policy covers external attacks, 41 percent said their policy covers human error, mistakes and negligence, and 38 percent said their policy covers malicious or criminal insiders.

Roughly half of respondents said their organization applies GDPR requirements to both US and European employees, "because they want to take a global approach." Nearly as many, 49 percent, said they did the same but because they believe it's required by GDPR.

One area where organizations aren't lagging when it comes to GDPR is by employing a Data Protection Officer. Almost all of the respondents, 90 percent, said their organization hired a DPO to navigate data protection challenges associated with GDPR. The role is mandatory for any company that collects or processes EU citizens' personal data under Article 37 of GDPR. 54 percent of organizations said their organizations appointed an EU representative.

GDPR of course, went into effect, on May 25, 2018. The regulation put into place notification requirements for data controllers and data processors, including reporting and record-keeping requirements. Failing to comply with the regulation could result in a penalty of up to $23 million or four percent of a company's global annual turnover.