Years in the planning, the European Union’s General Data Protection Regulation (GDPR) was agreed by the EU institutions at the end of 2015 and formal adoption is expected in 2016. The IT security profession is slowly starting to recognise the full extent of this wide-ranging legal framework for the processing of personal data secured ahead of entry into force in 2018.
To find out how well prepared they are, Symantec, commissioned independent research firm Coleman Parks, to conduct a study of 260 CISOs from organisations with 1,000+ employees.
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Europe’s New Data Privacy Laws – Are You As Ready As You Think?
1. General Data Protection Regulation
EUROPE’S NEW DATA PRIVACY LAWS
ARE YOU AS READY AS YOU THINK?
2. General Data Protection Regulation
GDPR
THE GDPR – A NEW CHALLENGE FOR
THE IT SECURITY PROFESSION
The EU General Data Protection Regulation (GDPR) is one of the most
significant developments in data protection policy and regulation for
years. The IT security profession is slowly starting to recognise the
full extent of the changes to the processing of personal data ahead of
the GDPR coming into force in 2018.
Symantec and research firm Coleman Parks, conducted a study into
how UK & Ireland organisations are prepared for this wide-ranging
legal framework by questioning 260 CISOs from organisations with
1,000+ employees.
GDPR Concerns
Readiness Findings
GDPR Responsibility
Outsourcing GDPR
Compliance Fail
The Five Steps to Prepare
3. General Data Protection Regulation
GDPR
WHAT COULD POSSIBLY GO WRONG?
The research shows those in charge of IT Security in UK and Ireland think they are well aware of the wide-ranging impact of the GDPR on their organisations.
The top three issues were the transfer of data, public awareness and loss of brand reputation after a breach and the disruption of the business.
Top 5 GDPR issues impacting UK and Ireland businesses
Data transfers
Public awareness and brand
reputation in case of a breach
Business disruption / Inability
to trade during privacy
incidents or investigations
Fines and legal costs of
compliance and litigation
Ability to process
data for your business
model
43%
38%
33%
32%
31%
1
2
3
4
5
Of only slightly less concern were fines and costs (31%), despite the fact these could range up to 4% of annual turnover or €20 million.
4. General Data Protection Regulation
GDPR
.
CONFIDENCE AMONG UK AND IRELAND ORGANISATIONS
Despite the scale of change to processes and systems required to comply with the GDPR, 82% of UK and Ireland organisations believe they will be fully
prepared for the GDPR within the next five months.
Prepared Likely to be fined
2% 2%
In 1-2 years In 2 years
or more
40%
In 2-5
months
14% 14%
In 1 month In 6-12
months
28%
Fully prepared
As part of these preparations, over half (47%) already have appointed a Data Protection Officer (DPO). Also, despite lower IT budgets
and skills shortages, 51% of the respondents believe they have full authority and budget to make the changes they need to be more
resilient.
5. General Data Protection Regulation
GDPR
GDPR RESPONSIBILITY – WHO’S ON THE HOOK?
GDPR is on the board’s agenda for 59% of organisations. Overall 38% of boards received compliance reports from others including the CISO, while for
3% GDPR was not yet a board issue.
However, when it comes to public announcements following a cyber breach that affects GDPR compliance, the responsibility is shared across a variety
of roles such as the CISO (30%), CIO (20%) and DPO (18%).
Top titles responsible for managing the series of announcements in case of a cyber breach
Overall In large enterprises
30%
12%
20%
13%
18%
4%
40%
9%
15%
10%
15%
30%
CISO
Chief Data Officer
CIO
CEO
DPO
Head of Legal
6. General Data Protection Regulation
GDPR
WHAT ABOUT OUTSOURCING?
Part of the requirements to comply with the GDPR is to have a clear view on how personally identifiable data is dealt with. It is therefore surprising to see
third party process engineering (such as payments processing, credit checking etc.) being the most popular aspect of the GDPR to be outsourced (56%).
Third party process
engineering
Policy creation
Data classification
Preperation
Certification
DPO role
Ongoing compliance
Incident Response
services
Parts of the GDPR preparation
to be kept in-house
Parts of the GDPR preparation
to be outsourced
Perhaps more understandable was the use of external experts for certification (41%), ongoing compliance (38%), policy creation and
preparation (32% and 31%).
44% 56%
58% 42%
59% 41%
62% 38%
66% 34%
68% 32%
69% 31%
71% 29%
7. General Data Protection Regulation
GDPR
ARE YOU FAILING TO PREPARE OF PREPARING TO FAIL?
Given the degree of confidence asserted by CISOs in this study, it is surprising to see how many would currently fail an important security requirement
of the new law.
are fully equipped to detect, report, remedy and
recover from data breaches.
are only able to report the breach within 72 hours’
notification requirement that applies to notifying
regulators in the GDPR.
should be able to report the breach but not within
the 72 hours’ notification requirement that applies
to notifying regulators in the GDPR. They are liable
to be fined.
will improvise as and if the situation presents itself.
don’t expect to suffer a data breach at all
37%
37%
20%
4%
1%
While 37% are fully-equipped to detect, report, remedy and recover organisationally from a breach, 37% only feel able to report it
within 72 hours. Worst of all, 4% will improvise in a breach situation and 1% are confident they would never suffer a data breach.
8. General Data Protection Regulation
GDPR
FIVE STEPS TO GET READY FOR THE GDPR
For more insights, click here: http://www.symantec.com/en/uk/data-privacy/
Treat GDPR compliance as a board-level issue for organisations. Form a governance group
under the direction of the CISO, CIO and Data Protection.
Understand and map the data you collect and process, directly and via third parties. Devise
and test the mechanisms to delete data with confidence.
Assess your organisation’s current data retention policies and whether the level of security
offered by and procedures offers adequate protection against unauthorised processing
and/or data loss.
Take a ‘Privacy by Design’ approach to re-engineer processes and policies which involve the
processing of personal data to ensure compliance happens by default.
Urgently review your breach notification processes to assess whether your organisation
can investigate the extent of any compromise within the 72-hour notification deadline. If
not, review your Cyber Insurance coverage once again, or be ready to pay large fines.
1
2
3
4
5
Symantec recommends following these steps: