Blog post

GDPR Requires IRM For Fast and Effective Response

By John A. Wheeler | September 14, 2018 | 0 Comments

Technology and Emerging TrendsTech and Service ProvidersStrategic riskSecurity of Applications and DataSecurity and Risk Management LeadersRisk ManagementOperational risk managementLegal riskLegal and ComplianceIRMintegrated risk managementEnterprise risk managementDigital riskCyber securityCyber riskCompliance managementAudit and RiskEnterprise Risk Management Program ManagementRisk Assessment Process and MethodologiesRisk CoverageRisk Response Strategies

This week, Gartner hosted its annual Security & Risk Management Summit in London and the buzz at the event centered on the new risks associated with the General Data Protection Regulation (GDPR). The discussion was fueled by the recent cyber attack experienced by British Airways (BA). BA disclosed the data breach just prior to our event and it was headline news in London throughout the week.

To summarize, BA’s data breach involved roughly 380,000 customers who transacted on BA’s websites from late August through the first week of September. Given the requirement by GDPR to disclose data breaches within 72 hours of discovery, BA had little time to understand the potential impacts from the breach. So, their disclosure was vague and left many customers guessing what to do in the wake of the breach. What is most concerning now is the potential for a GDPR fine which can range up to 4% of annual revenues or, in BA’s case, £500 million. It’s no wonder that CEOs consider risk management as one of their top priorities in 2018 (see figure below).


No longer will organizations have the luxury to take as much time as they want to disclose and when they do, accuracy of the disclosure is paramount. To respond quickly and effectively, an integrated risk management (IRM) approach and toolset is required. IRM links enterprise risk management (ERM), operational risk management (ORM) and IT risk management (ITRM) so that response can be coordinated quickly among a range of stakeholders and utilizing a robust risk management data set (see figure below).


In my one-on-one interactions with attendees at the London Summit, everyone agreed that IRM is the solution and must be a priority for organizations in this new world of GDPR. To learn more about IRM, check out my latest research (Gartner subscription required) or read my blog posts (for free!) at the Gartner Blog Network.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed