Nearly one in five companies may never comply with the European Union's General Data Protection Regulation, according to a new report.

EY and the International Association of Privacy Professionals surveyed 550 privacy professionals about GDPR compliance for the IAPP-EY Annual Privacy Governance Report 2018, released Thursday. More than half of respondents, 56 percent, said they are far from compliant or will never fully comply. Seventy-six percent of respondents believed GDPR applied to their company.

Rita Heimes, the IAPP's research director and data protection officer, said those stats don't mean companies aren't trying.

"I think even if you've taken most of the steps toward building a program that meets GDPR as best you can, privacy professionals who have been doing this a long time understand that it's really a journey, it's not a destination, and that the best you can do is build the systems to try to meet the objectives of the law, but it's an ongoing effort," she said.

Respondents were asked to rate aspects of GDPR by difficulty. Some of the hardest aspects of the regulation, according to respondent ranking, are the right to be forgotten, fulfilling data

subject access requests and getting explicit consent from users. U.S. companies reported higher difficulty scores across the board compared with those in other countries.

However, U.S. companies were more likely to give themselves high compliance scores. More than half, 53 percent, gave themselves an eight out of 10 or higher on a scale measuring GDPR compliance, compared with 38 percent of their EU counterparts who did the same.

GDPR compliance efforts have also, in part, led to an explosion in data processing officer hiring. Seventy-five percent of respondents said their companies have appointed a DPO, which is a requirement under GDPR for companies performing certain types of data processing.

Around half said their DPO was appointed just to comply with GDPR. But another 48 percent said they created a DPO role to "serve a valuable business function," and not because they were required to under the GDPR. Heimes said that having a DPO can be a signal to European customers that a company is aware of GDPR and is working toward the law's privacy goals, even beyond the legal requirements.

She also noted there has been discussion about whether it's a good idea to appoint a DPO when not legally required, as it can trigger certain obligations.

"What this shows is that, I think, companies who do appoint a DPO voluntarily see it differently. They would rather err on the side of having a DPO, even if not legally obliged to have one, because they think it's a good idea," she said.

Nearly 60 percent of respondent company privacy leaders said they've taken on the DPO duty. When that wasn't the case, the DPO reported to the privacy leader 65 percent of the time. In 44 percent of respondent organizations, the privacy leader's position was elevated in the wake of GDPR, meaning higher reporting lines or other aspects of a promotion.

"If a company is taking GDPR seriously, then those things go hand in hand—you're going to make sure your privacy leader has a voice in both operations and strategic decision making and is telling the board what is going on so there is a better understanding of privacy risk and privacy compliance," Heimes said.

GDPR has created opportunities for privacy professionals outside of the DPO role as well. According to the report, the global mean number of employees working full time in privacy programs grew from 6.8 to 10.