eu gdpr report - cybersecurity insiders...european union general data protection regulation (eu...
TRANSCRIPT
2 0 1 7
PRESENTED BY
EU GDPR REPORT
TABLE OF CONTENTS
Overview
Key Findings
Familiarity with GDPR Regulations
Anticipated Regulatory Impact
Regulatory Impact by Industry
Compliance Priority
Compliance Priority by Region
Compliance Priority by Industry
GDPR Preparedness
Organizational Ownership
Compliance Challenges
Compliance Initiatives
GDPR Chapters of Concern
GDPR Articles of Concern
Impact on Security Practices
Impact on Security Budgets
Data Governance Budget
Data Protection Officers
Demographics
5 Steps to GDPR Compliance
About Us
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
23
29
GDPR REPORT
Many thanks to STEALTHbits Technologies for
supporting this groundbreaking research on a critical
topic for data governance.
We also want to thank all of our participants who
provided their time and input in completing the study.
We hope you will enjoy reading this report, and gain
insight from its major findings.
INTRODUCTION
European Union General Data
Protection Regulation (EU GDPR)
is the most significant change in
data privacy regulation in more than
20 years. The regulation imposes
stringent requirements on companies
that collect and retain user personal
data. The regulation will go into effect
on May 25, 2018.
This report is the result of a
comprehensive crowd-based
research study in conjunction with
the 360,000+ member Information
Security Community and Crowd
Research Partners. The research was
designed to identify the perspectives
of organizations on the impact of the
new regulations and how they plan to
be in compliance with
the mandated requirements.
3
STEALTHbits Technologies, Inc.
200 Central Avenue
Hawthorne, NJ 07506
United States
2017 GDPR REPORT
www.stealthbits.com
2017 GDPR REPORT 4
KEY FINDINGS
While an overwhelming majority of surveyed organizations (approaching 90%) are
familiar with the EU GDPR regulations, only about a third (32%) state that they are
compliant or well on the way to compliance.
Approximately 30% of surveyed companies report that they will need to make
substantial changes to security practices and technology to be in compliance with
EU GDPR policies.
The primary challenges in becoming compliant with EU GDPR policies are lack of
budget (32%), limited understanding of the regulations (29%), and lack of expert
staff with critical skills (28%).
The most important initiative in meeting EU GDPR compliance is to make an
inventory of user data and map it to protected EU GDPR categories (49%). The next
most significant initiative is to design applications and databases to have privacy
enabled by default (31%).
A substantial majority (65%) of organizations where EU GDPR compliance is a top
priority already have or plan to have a Data Protection Officer (either in-house or
outsourced).
1
2
3
4
5
2017 GDPR REPORT 5
DEADLINE
2018MAY
Expert(have deepknowledge)
Knowledgeable(quite familiar)
Limitedfamiliarity
Not at allaware
16%
7%
34%
22%19%
28%
6%
22%
Familiar(know some
details)
25%21%
North AmericaEurope
REGULATIONS
ARTICLE 1
ARTICLE 2
ARTICLE 3
Q: How familiar are you with the EU GDPR?
FAMILIARITY WITH EU GDPR REGULATIONS
Given that the EU GDPR goes into effect in May 2018, it is reasonable to expect familiarity with the regulations. It’s
not surprising that companies headquartered in Europe have a higher level of familiarity than those in North America.
2017 GDPR REPORT 6
7%
55%
12%
Many will befined for noncompliance
No one willbe fined for
non compliance
A few organizationswill be made an
example of, but mostwill be given a pass
Expert(have deepknowledge)
Familiar(know some
details)
Knowledgeable(quite familiar)
Limitedfamiliarity
Not at allaware
58%
6%
36%40%
53%
7%
34%
63% 63%
3%
16%21%
10%
45% 45%
Q: How strictly do you believe the EU GDPR regulation will be enforced when it officially comes into effect?
ALL RESPONDENTS BY LEVEL OF FAMILIARITY WITH REGULATIONS
Overall, only a few organizations expect that EU GDPR regulations will have substantial impact. However, companies
claiming greater knowledge of the regulations believe that there is a far greater consequence – suggesting the
importance of studying and understanding the regulations.
ANTICIPATED REGULATORY IMPACT
2017 GDPR REPORT 7
Retail Government Technology Financialservices
Healthcare HigherEducation
Energy
50%50%44%
33%
23%
50%
10%
38%
58%
4%
56%
33%
11%
20%
33%
67%70%
10%
40%
Many will be fined fornon compliance
No one will be fined fornon compliance
A few organizations will be made anexample of, but most will be given a pass
Q: How strictly do you believe the EU GDPR regulation will be enforced when it officially comes into effect?
The anticipated regulatory impact varies significantly by industry. This is likely indicative of the amount of personally
identifiable customer information that is collected in the course of business operations.
REGULATORY IMPACT BY INDUSTRY
2017 GDPR REPORT 8
It’s one of thetop 3 priorities
for my company
It’s one of anumber of priorities
It’s not a priority
26% 28%
46%
Q: How high of a priority is EU GDPR compliance to your company currently?
With many companies being familiar with EU GDPR regulations, the next question was whether this understanding
translated into a priority to be in compliance. A large proportion of companies indicated that compliance a priority.
COMPLIANCE PRIORITY
2017 GDPR REPORT 9
18%
49%
33%
Europe North America
It’s one of thetop 3 priorities
for my company
It’s one of anumber ofpriorities
It’s nota priority
43%40%
17%
It’s one of thetop 3 priorities
for my company
It’s one of anumber ofpriorities
It’s nota priority
Q: How high of a priority is EU GDPR compliance to your company currently?
The next question was whether the priority GDPR compliace varies by region. Not surprisingly, compliance priority is
substantially higher for EU based companies.
COMPLIANCE PRIORITY BY REGION
2017 GDPR REPORT 10
RetailGovernmentTechnology Financialservices
Healthcare HigherEducation
Energy
It’s one of the top 3 priorities for my company It’s one of a number of priorities
47%
14%
29% 25%
57%42%
17% 13%
80%
50% 63%34%
Q: How high of a priority is EU GDPR compliance to your company currently?
The next question on compliance was whether GDPR priority varies by industry. As seen below, there is a wide
variance of priority by industry, with compliance being a top 3 priority in the Technology, Energy, Financial Services,
Healthcare and Higher Education sectors.
COMPLIANCE PRIORITY BY INDUSTRY
2017 GDPR REPORT 11
It’s one of the top3 priorities formy company
It’s one of a numberof priorities
It’s not a priority
We are well into the process We are in compliance today
8%5% 4%
47%
26%
4%
Q: How prepared is your company to meet EU GDPR regulations by the deadline?
It’s not surprising that preparedness should be directly related to compliance priority. The survey findings support
this – organizations where EU GDPR compliance is a high priority are further into the process.
GDPR PREPAREDNESS
2017 GDPR REPORT 12
Q: What team within your company has primary responsibility for ensuring EU GDPR compliance?
In general, Information Security teams have primary organizational ownership for meeting EU GDPR compliance.
However this is much more pronounced for companies where compliance is a top priority.
ORGANIZATIONAL OWNERSHIP
InformationTechnology
Legal OtherFinancialInformationSecurity
It’s not a priority
It’s one of anumber ofpriorities
It’s one of thetop 3 priorities
for my company
Information Security Information Technology Legal Financial Other
29%
43%
25%
15%
3%
14%
29%
12%
6%
24%
45%
25%
16%
1%
13%
53%
20%15%
3%
9%
ALL RESPONDENTS BY PRIORITY OF EU GDPR COMPLIANCEALL RESPONDENTS BY PRIORITY OF EU GDPR COMPLIANCE
2017 GDPR REPORT 13
Q: What challenges is your company facing in becoming compliant with EU GDPR regulations?
Organizations have expressed multiple challenges in complying with GDPR. Not surprisingly, lack of budget is cited as
the top challenge.
COMPLIANCE CHALLENGES
32% Lack of budget
29% 28%
Limitedunderstandingof regulations
Lack of expertstaff with
critical skills
Lack ofmanagement
support
Lack ofnecessary
technology
22% 18%
#1
#2 #3 #4 #5
2017 GDPR REPORT 14
Q: Which of the following initiatives are part of your program to be compliant with EU GDPR regulations?
Participants have indicated multiple data initiatives to be compliant with regulations. However, one initiative stands
out – that of making an inventory of user data and mapping them to protected EU GDPR categories.
COMPLIANCE INITIATIVES
49% Making an inventory of user data andmapping to protected EU GDPR categories�
31% 28%
Designing applications
and databasesto have
default data privacy enabled
Audit to track down “rogue”data recordswith personal information
Evaluating solutions to enable users to exercise their data rights
Identify and integrate internally
developed solutions
Identify and integrate external
applications
Stress-testing resilience of proposed
GDPR solutions
28% 26% 24% 17%
2017 GDPR REPORT 15
Q: Our EU GDPR compliance program is most concerned about the following chapters in the EU GDPR regulations
While the EU GDPR regulations are complex and have many chapters, the primary area of concern is with the chapter
on “Rights of the Data Subject”.
GDPR CHAPTERS OF CONCERN
Chapter 1:General provisions
Chapter 2:Principles
Chapter 3: Rights of the data subject
Chapter 4:Controller and processor
Chapter 5:Transfer of personal data to third countries of
international organizations
Chapter 6:Independent supervisory authorities
Chapter 7:Co-operation and consistency
Chapter 8:Remedies, liability and sanctions
Chapter 9:Provisions relating to specific data processing situations
Chapter 10:Delegated acts and implementing acts
Chapter 11:Final provisions
28%24%
22%
20%
17%
16%
16%
13%
11%
11%
7%
2017 GDPR REPORT 16
Q: Which of the following provisions are of the most concern to you?
The EU GDPR regulations have many articles. A significant article of concern is the “Right to be forgotten and to
erasure”. For many organizations, it is a challenge to comply promptly with requests to remove and redact personally
identifiable data, due to challenges in properly tagging and classifying data.
GDPR ARTICLES OF CONCERN
Article 5:Principles relating to personal data processing
Article 10A:General principles for the rights of the data subject
Article 17: Right to be forgottem and to erasure
Article 18:Right to data portability
Article 23:Data protection by design and by default
Article 30:Security of processing
Article 33:Data protection impact assessment
Article 40:General principle for transfers
33%
32%
32%
29%
27%
25%
25%
16%
2017 GDPR REPORT 17
Q: To what level will your company’s security practices and technology need to change to be in compliance with EU GDPR policies?
It’s not surprising that the anticipated impact on an organization’s security practices and technology increases
significantly with the priority of EU GDPR compliance. Those companies needing to be compliant likely have a better
understanding of the impact.
IMPACT ON SECURITY PRACTICES
No change at all
It’s not a priority
It’s one of anumber ofpriorities
It’s one of thetop 3 priorities
for my company
No change at all Substantial changeRelatively minor change
15%
35%40%
26%
9%
64%
27%
7%
57%
36%
Relativelyminor change
56%
Substantialchange
29%
ALL RESPONDENTS BY PRIORITY OF EU GDPR COMPLIANCE
2017 GDPR REPORT 18
Q: What proportion of the IT Security budget will be devoted to compliance with EU GDPR policies?
As a corollary, it’s not surprising that the anticipated impact on security budget increases significantly with the
priority of EU GDPR compliance. Those companies who need to be compliant will likely have to spend a larger
proportion of their budget.
IMPACT ON SECURITY BUDGETS
Less than 5%
5%-10%
10%-20%
20%-50%
More than 50%
50%23%
15%
9%
3%
It’s not a priority It’s one of a number of priorities
It’s one of the top 3 priorities for my company
81%
16%
1% 1% 1% 1%
45%
27% 26% 24%23%19%9%
20%
7%
ALL RESPONDENTS
BY PRIORITY OF EU GDPR COMPLIANCE
2017 GDPR REPORT 19
Q: Over the next 12 months, our company’s data governance budgets will increase by ..?
A different way of asking the budget question is to enquire about the anticipated growth on data governance
budgets. Here again, the consistent response is that growth in budget appears strongly related to priority.
DATA GOVERNANCE BUDGETS
It’s not a priority
It’s one of anumber ofpriorities
It’s one of thetop 3 priorities
for my company
Decrease Stay the same Increase by up to 10% Increase by up to 10%-30% Increase by up to 30%-50% Increase by more than 50%
14%
6%
41%
26%20%
6%1%
5%
28% 27%
12%8%
14%
6% 6%3%
57%
42%
21%
18%
7%4% 8%
20%
ALL RESPONDENTS BY PRIORITY OF EU GDPR COMPLIANCE
2017 GDPR REPORT 20
Q: Do you have a Data Protection Officer (DPO) role and/or title in your company?
The majority of respondents either have or plan to have a Data Protection Officer. The existence of, or plans to have, a
Data Protection Officer is strongly related to the priority of EU GDPR compliance
DATA PROTECTION OFFICERS
It’s not a priority
It’s one of anumber ofpriorities
It’s one of thetop 3 priorities
for my company
We have a DPO (either in-house or outsourced)
We plan to have a DPO (either in-house or outsourced)
We don’t plan to have a DPO (either in-house or outsourced)
We are not required to have a DPO
33%
21%
12% 12%
43%
24%
39%
26%31%
14%
We have a DPO (either in-house or outsourced)
We plan to have a DPO (either in-house or outsourced)
ALL RESPONDENTS BY PRIORITY OF EU GDPR COMPLIANCE
2017 GDPR REPORT 21
DEMOGRAPHICS
2017 GDPR REPORT 22
DEMOGRAPHICS
The 2017 GDPR Report is based on the results of a comprehensive online survey of over 520 companies from
different geographic regions, with a predominant proportion from Europe.
REGION
59% 29% 3%
1%
8%
Europe North America APAC LATAM Other
INDUSTRY
DEPARTMENT
CAREER LEVEL
Technology Financial Services Government Higher Education Healthcare Retail Energy Other
Information Security Information Technology Data protection Legal Other
CISO DPO/Privacy Officer VP of IT VP of Security DIrector Manager Analyst Other
COMPANY SIZE
1-250 251-500 501-1000 1001-5000 5001-10,000 10,001-20,000 20,000+
45% 5% 4% 3% 2%10% 6% 23%
51% 7% 7% 4% 10%6% 15%
48% 21% 7% 22%3%
22% 4% 3% 2% 19% 27% 12% 10%
2017 GDPR REPORT 23
5 STEPS TO GDPR COMPLIANCE
2017 GDPR REPORT 24
CISO TO DPO
Responsibility Transfer
With the EU GDPR going into effect, the responsibilities of the CISO/Head of Security will shift. This will result in
moving Risk Management, Governance, Business Enablement, and Project Delivery Lifecycle to the Data Protection
Officer (DPO)/Head of Privacy and having dotted lines to Identity Management and Security Operations.
The role of the DPO will be much like a Compliance Officer, with the additional responsibilities of overseeing sensitive
data handling and impacted business processes. We’ve mapped out how the responsibilities will transfer from CISO
to DPO.
IdentityManagement
SecurityOperations
CISO DPO
RiskManagement
Governance
BusinessEnablement
ProjectDeliveryLifecycle
BudgetLegal &Human
Resources
Compliance& Audits
2017 GDPR REPORT 25
PREPARATION TIMELINE
We’ve taken Data Governance, Identity and Access Management, and Data Migration processes and aligned them
with the EU GDPR to outline how long each foundational piece will take to execute.
Raise Awareness& Gather
Information
EnforceChange &Maintain
ImplementChanges
Plan &Prioritize
1 2 3 4
7 Months 5 Months
5 Months Ongoing
2017 GDPR REPORT 26
REGULATORY SANCTIONS
The current maximum fine in the UK through the Data Protection Act is £500,000 [$615,000]. With the EU GPDR
there will be a 3,600% increase in the maximum fine to an organization.
If the companies below were found non-compliant under the EU GDPR they would have been assessed the following
4% fines based on their 2015 reported global revenue:
€20Mof the annual global revenueof the preceding financial yearin the case of an enterprise4%
or
(whichever is greater)
Maximum fine of
$1,771,600,00
$3,327,200,000
$4,280,000,000
$8,624,000,000
[~$22M]
€20Mof the annual global revenueof the preceding financial yearin the case of an enterprise4%
or
(whichever is greater)
Maximum fine of
$1,771,600,00
$3,327,200,000
$4,280,000,000
$8,624,000,000
[~$22M]
2017 GDPR REPORT 27
WHAT TO BUDGET FOR
PwC recently conducted a survey of 200 CIOs, CISOs, General Counsels, CCOs, CPOs and CMOs from US companies
with more than 500 employees. 77% plan to spend $1 million or more on the EU GDPR. Below are 8 ways to outline
your budget and prepare for May 25, 2018.
Data inventory& mapping
Privacy & state-of-the-artsafe by design and by default
Solutions to enable theexercise of art (15-22)
data subject rights
Train employees tobe GDPR proficient
Incentives for hunting down“rogue or non-obvious”personal data records
Stress testing GDPRresilience of the
solutions proposed
Co-ordinate and integratethe solutions crowdsourced
from the business
Hire both a GDPRarchitect and a
GDPR DPO
2017 GDPR REPORT 28
HOW STEALTHBITS CAN HELP
“You need to know what sensitive data you have, where it is, and who has access to it. Governance should ensure that access is limited to those who really need it and actual access is checked against this list.”
- 2016 Verizon Data Breach Investigations Report
CHAPTER II
Principles
CHAPTER IV
Controller and Processor
ARTICLE 5
Control 1(f)& 2
ARTICLE 24
Control 1
ARTICLE 33
Control 1
ARTICLE 25
Control 1 & 2
ARTICLE 32
Control 1 (b,c,d)
& 2 & 4
Principles
relating to
processing
of personal
data
Data
protection
by design
and by
default
Security of processingResponsibility
of the
controller
Notification
of a personal
data breach
to the
supervisory
authority
2017 GDPR REPORT 29
ABOUT US
2017 GDPR REPORT 30
SPONSOR
STEALTHbits | www.stealthbits.com
STEALTHbits Technologies is a cybersecurity software company focused on protecting
an organization’s credentials and data.
By removing inappropriate data access, enforcing security policy, and detecting
advanced threats, we reduce security risk, fulfill compliance requirements and decrease
operations expense.
Identify threats. Secure data. Reduce risk.