GDPR Requires IRM For Fast and Effective Response

This week, Gartner hosted its annual Security & Risk Management Summit in London and the buzz at the event centered on the new risks associated with the General Data Protection Regulation (GDPR). The discussion was fueled by the recent cyber attack experienced by British Airways (BA). BA disclosed the data breach just prior to our event and it was headline news in London throughout the week.

To summarize, BA’s data breach involved roughly 380,000 customers who transacted on BA’s websites from late August through the first week of September. Given the requirement by GDPR to disclose data breaches within 72 hours of discovery, BA had little time to understand the potential impacts from the breach. So, their disclosure was vague and left many customers guessing what to do in the wake of the breach. What is most concerning now is the potential for a GDPR fine which can range up to 4% of annual revenues or, in BA’s case, £500 million. It’s no wonder that CEOs consider risk management as one of their top priorities in 2018 (see figure below).

No longer will organizations have the luxury to take as much time as they want to disclose and when they do, accuracy of the disclosure is paramount. To respond quickly and effectively, an integrated risk management (IRM) approach and toolset is required. IRM links enterprise risk management (ERM), operational risk management (ORM) and IT risk management (ITRM) so that response can be coordinated quickly among a range of stakeholders and utilizing a robust risk management data set (see figure below).

In my one-on-one interactions with attendees at the London Summit, everyone agreed that IRM is the solution and must be a priority for organizations in this new world of GDPR. To learn more about IRM, check out my latest research (Gartner subscription required) or read my blog posts (for free!) at the Gartner Blog Network.