The Five Milestones to GDPR Success

For Security & Risk Professionals April 25, 2017 The Five Milestones To GDPR Success To Meet The May 2018 Deadline, Security And Risk Pros Must Prepare Today Start Preparing For The GDPR Deadline Before It’s Too Late Shockingly, half of organizations across the EU and the US are unaware of the new European General Data Protection Regulation (GDPR). Even more worrisome, the rate of awareness is lowest among tech companies.1 But data protection authorities across the EU are gearing up the implementation of the new rules — which include fines up to 4% of global revenues for violations.2 All firms providing services or products to European markets and/or those collecting data from European residents must prepare now. We have identified five milestones to help organizations develop and execute their GDPR strategies (see Figure 1). FIGURE 1 Firms Must Reach Five Milestones For GDPR Success Milestone Action Assessment and gap analysis • Discover and classify data. • Map data ?ow. • Analyze gaps. The business case • Quantify resources for hiring/training people. • Estimate costs for new products and services. • Account for professional services. Detailed road map to address gaps and new requirements • Deploy security controls. • Update processes. • Mitigate third-party risks. • Review privacy notices and communication. • De?ne organizational design. Incident response testing, auditing, and process evaluation • Test the incident response plan. • Audit your audit mechanisms. • Try out new processes. • Evaluate all customer-facing materials. Feedback loop for ongoing compliance and improvement • Prepare for ad hoc audits. • Establish training and awareness programs. • Measure. Complete Milestone 1: An Assessment And Gap Analysis Of Your Current Privacy Maturity This milestone helps privacy and security pros determine the maturity of their privacy practices today. Forrester’s Privacy And GDPR Maturity Model provides a comprehensive maturity assessment that goes beyond the core requirements of the GDPR to include the capabilities necessary to use privacy as a competitive advantage. In order to reach this milestone, at a minimum, privacy and security pros must: © 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378 2 For Security & Risk Professionals April 25, 2017 The Five Milestones To GDPR Success To Meet The May 2018 Deadline, Security And Risk Pros Must Prepare Today ›› Conduct data discovery and classification exercises. To protect data, you need to know where it is and determine its risk profile. It’s easier said than done, as our research reveals that a large number of companies still struggle to gain visibility into their data assets.3 However, our data also shows that the adoption of data classification solutions is on the rise.4 Privacy and security pros must enact processes to enable their firms to dynamically and continually classify data.5 Sensitive personal or customer data stored and/or processed in the cloud has a higher risk profile. ›› Map data flow. When establishing data risk profiles, privacy and security pros must consider not only where data resides in a moment in time but also how it moves across the organization and its partners. Privacy and security teams must pay particular attention to third parties. In fact, the GDPR makes third-party risk even greater. For example, while data processors will be jointly responsible for privacy incidents, businesses will have the responsibility to perform and document recurring audits of third parties’ security and privacy practices and infrastructure. ›› Find the gaps in their processes, systems, oversight mechanisms, and skills. Once you have gained visibility into data and its flow and assessed its risk profile, you are ready to evaluate current risk-mitigation strategies. This includes, for example, reviewing the implementation of security controls. Privacy and security pros must look at processes, systems, oversight, and skills as part of the gap analysis, too. To identify gaps to fill, you must consider GDPR requirements and your firm’s risk appetite. Some firms in financial services, for example, deploy identity and access management (IAM) policies that are more stringent than the GDPR will require.6 Milestone 2: A Business Case For The Appropriate Budget Firms must use their gap analysis to estimate the appropriate budget for their GDPR program. Thus, the investment will vary by organization. However, early research suggests that US firms, for example, are allocating approximately $1 million for GDPR compliance.7 Whatever the amount, your business case should not be focused only on GDPR fines. Instead, it must make the case for the business benefits that the organization can realize through improved customer engagement, customer experience, and loyalty, for example. When estimating the budget, privacy and security pros should also: ›› Quantify resources for hiring and training staff. Privacy and security training is not new, but GDPR brings it renewed attention. In fact, GDPR makes it part of organizations’ risk-mitigation strategies. And our data shows that internal misuse of data is still the most common cause of data breaches.8 In addition, GDPR requires organizations to hire a privacy officer.9 While the International Association of Privacy Professionals (IAPP) expects that firms will need 28,000 new data protection officers (DPOs) in Europe alone, people with the right skill set are scarce, and dedicated recruitment firms are popping up quickly.10 To secure the right hire, organizations must prepare to put competitive offers forward.11 ›› Evaluate how much new products and services will cost. When initiating a GDPR program, going out shopping is not a good start — it’s like going to the grocery store when you’re already hungry. Firms must first assess existing security controls and their deployment. They must work © 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378 3
Please complete the form to gain access to this content