[jacquesm]

It is quite well possible their company does not need a DPO. But given the nature of the question there is some evidence they do, besides that hiring a DPO is not something done in isolation but most likely as as the result of a GDPR impact study done in ... 2017 or so, which I'm going to again guess was not in the cards for many companies.

So, in summary: likely the vast majority of the companies affected is only now starting to wake up to the fact that they are affected, for quite a few of these companies the effects will be relatively benign unless their servers are compromised, for the more serious offender and the larger companies that have not yet started to address these issues it is likely too late to get anything done in time but since this goes for the vast majority of them they are simply playing a complicated game of Russian roulette with the oversight bodies and a couple of them will undoubtedly get lucky to great relief of the remainder.

Data protection authorities tend to be vastly understaffed, but this too will hopefully change in the future.

[ust]

Yeah, I agree with everything you said.

It would be interesting to know whether the big companies have addressed (at least partially) their GDPR compliance. Maybe they do just "play Russian roulette" like you said, and hope for the best.. Of course, implementation guidelines are not yet fully defined (like WP29 opinions, some of them will change, even then, those opinions are not legally binding).

[jacquesm]

From what I've seen it strongly depends on the vertical but there are outliers both ways. With medical and fintech (banks, IPSPs, insurance) you can expect they are on average doing ok though there are some bad counterexamples. E-commerce is only just now starting to wake up and everybody else is going to be playing catch-up for the next couple of years.

Note that my sample is relatively small and mostly western European countries (nl, be, de, uk).