Securing the Digital World

EU GDPR Readiness Study

Feb 05, 2018 | by Marshall Toburen |

The European Union’s General Data Protection Regulation (GDPR) goes into effect May 2018, potentially imposing material fines and sanctions on non-compliant businesses that process, store, or otherwise handle information of any EU citizen, regardless of where the business is based. The regulation:

  • Requires companies to implement privacy controls around the collection, processing, and security of personally identifiable information (PII), commensurate with the level of risk.
  • Includes provisions for Rights of EU residents (inquiry, correction, deletion, etc.)
  • Requires ‘appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures’

Recently, RSA commissioned Forrester Consulting to publish a thought leadership paper titled Fact or Fiction: The State of GDPR Compliance, GDPR Compliance Requires More Than IT.

Forrester’s paper is the culmination of a large cross-industry survey of risk and information management professionals located in Europe and the United States. It presents both caution and hope for organizations working toward compliance.

According to the Forrester survey, 53% of organizations reported that the Chief Information Officer (CIO) is the final decision maker owning the entire GDPR program. And, while 47 to 59% of organizations report they are already fully compliant with the various GDPR requirements, 39% of organizations remain least prepared to provide evidence of risk mitigation strategies – leaving the program compliance owner in a very precarious position. The program owner’s top priority is to demonstrate regulation compliance to executives, the board, auditors and regulators. Yet they are unable to do so because they can’t justify that their technical and organizational measures in place around information are commensurate with the risk to European Union citizens. This is a bit of placing the cart in front of the horse, but thoughtful rationalization and documentation of an information security program are often lacking in many organizations. Finally, two over-arching themes are clear from the Forrester paper: GDPR is a major undertaking for organizations, but the majority of organizations believe the benefits of the regulation extend well beyond mere compliance, including improved customer experience, improved data strategies, and better privacy policy management.

If your organization is subject to GDPR, I encourage you to read this paper to better understand how your priorities align with your peers, and Forrester’s recommendations for program development and management. 

Learn more about how RSA® Business-Driven Security™ solutions can support GDPR compliance.