This week, Gartner hosted its annual Security & Risk Management Summit in London and the buzz at the event centered on the new risks associated with the General Data Protection Regulation (GDPR). The discussion was fueled by the recent cyber attack experienced by British Airways (BA). BA disclosed the data breach just prior to our event and it was headline news in London throughout the week.
To summarize, BA’s data breach involved roughly 380,000 customers who transacted on BA’s websites from late August through the first week of September. Given the requirement by GDPR to disclose data breaches within 72 hours of discovery, BA had little time to understand the potential impacts from the breach. So, their disclosure was vague and left many customers guessing what to do in the wake of the breach. What is most concerning now is the potential for a GDPR fine which can range up to 4% of annual revenues or, in BA’s case, £500 million. It’s no wonder that CEOs consider risk management as one of their top priorities in 2018 (see figure below).
No longer will organizations have the luxury to take as much time as they want to disclose and when they do, accuracy of the disclosure is paramount. To respond quickly and effectively, an integrated risk management (IRM) approach and toolset is required. IRM links enterprise risk management (ERM), operational risk management (ORM) and IT risk management (ITRM) so that response can be coordinated quickly among a range of stakeholders and utilizing a robust risk management data set (see figure below).
In my one-on-one interactions with attendees at the London Summit, everyone agreed that IRM is the solution and must be a priority for organizations in this new world of GDPR. To learn more about IRM, check out my latest research (Gartner subscription required) or read my blog posts (for free!) at the Gartner Blog Network.
Category: audit-and-risk compliance-management cyber-risk cyber-security digital-risk enterprise-risk-management enterprise-risk-management-program-management integrated-risk-management irm operational-risk-management risk-assessment-process-and-methodologies risk-coverage risk-management risk-response-strategies security-of-applications-and-data strategic-risk technology-and-emerging-trends
Tags: cybersecurity gdpr integrated-risk-management irm
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.