Each year, ESG surveys around 700 cybersecurity and IT professionals as part of its annual IT spending intentions research (note: I am an ESG employee). In this year\u2019s survey, ESG asked respondents several questions about General Data Protection Regulation (GDPR) readiness.What we found is alarming. With only a few months until the regulation goes into effect, only 11 percent of those surveyed say they are completely prepared and only 33 percent say their incident response plan\u00a0meets the GDPR requirement for breach disclosure in 72 hours.Specifically, this is what they said about their GDPR preparedness:While 11 percent of organizations are completely prepared for GDPR (i.e. would be ready if it went into effect tomorrow), 33 percent say they are mostly prepared (i.e. most work done but some tasks left to accomplish), and 44\u00a0percent claim they are somewhat prepared (i.e. organization has identified all the steps to meet the GDPR deadline but are early in the process of completing all tasks).Nearly one quarter (22\u00a0percent) of organizations say they don\u2019t need to make further technology purchases to address GDPR. Alternatively, 63\u00a0percent have made or will make some incremental technology investments, while 10\u00a0percent have made or will make substantial technology investments for GDPR.One-third of organizations say their incident response (IR) plan can meet the GDPR requirement for breach disclosure in 72 hours. The remaining organizations admit that their IR plans need work, however. Thirty-five percent say their IR plan needs some updates to meet GDPR, 8 percent claim that their IR plans need major revisions to meet GDPR, 7\u00a0percent will need to establish a new IR plan to meet GDPR, and 8 percent admit that they don\u2019t have an IR plan and will have to create one from scratch to meet GDPR.Companies have a lot of work to do to meet the May GDPR deadlineMy take-away from this data is that most organizations still have plenty to do with just over three months to go. Furthermore, I am alarmed by the lingering uncertainty around GDPR. For example, when survey respondents were asked to identify their organization\u2019s biggest GDPR challenges, just under one-third (32\u00a0percent) said "understanding all the requirements associated with GDPR," while 31\u00a0percent said "establishing the ability to audit GDPR controls for regulators."Given that we are just about through with February, you would think that firms would have these issues under control by now. I\u2019ve encountered this uncertainty in conversations with CISOs, as well. When I ask them if they are ready for GDPR, many respond, \u201cI don\u2019t really know.\u201d\u00a0Judging by the data, I\u2019d say the handoff from legal and privacy teams to security and operations teams is a work in progress. In other words, corporate lawyers are still figuring out what their organizations need to do. As a result, they haven\u2019t fully operationalized a GDPR plan \u2014 and the clock is ticking.One of my cybersecurity predictions at the start of 2018 was that we would see a massive data breach and subsequent GDPR fine by the end of this summer. This data only reinforces my belief that this will happen.