EU GDPR REPORT - Cybersecurity Insiders...European Union General Data Protection Regulation (EU...

2 0 1 7

PRESENTED BY

EU GDPR REPORT

TABLE OF CONTENTS

Overview

Key Findings

Familiarity with GDPR Regulations

Anticipated Regulatory Impact

Regulatory Impact by Industry

Compliance Priority

Compliance Priority by Region

Compliance Priority by Industry

GDPR Preparedness

Organizational Ownership

Compliance Challenges

Compliance Initiatives

GDPR Chapters of Concern

GDPR Articles of Concern

Impact on Security Practices

Impact on Security Budgets

Data Governance Budget

Data Protection Officers

Demographics

5 Steps to GDPR Compliance

About Us

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

23

29

GDPR REPORT

Many thanks to STEALTHbits Technologies for

supporting this groundbreaking research on a critical

topic for data governance.

We also want to thank all of our participants who

provided their time and input in completing the study.

We hope you will enjoy reading this report, and gain

insight from its major findings.

INTRODUCTION

European Union General Data

Protection Regulation (EU GDPR)

is the most significant change in

data privacy regulation in more than

20 years. The regulation imposes

stringent requirements on companies

that collect and retain user personal

data. The regulation will go into effect

on May 25, 2018.

This report is the result of a

comprehensive crowd-based

research study in conjunction with

the 360,000+ member Information

Security Community and Crowd

Research Partners. The research was

designed to identify the perspectives

of organizations on the impact of the

new regulations and how they plan to

be in compliance with

the mandated requirements.

3

STEALTHbits Technologies, Inc.

200 Central Avenue

Hawthorne, NJ 07506

United States

[email protected]

2017 GDPR REPORT

www.stealthbits.com

https://www.stealthbits.com/

2017 GDPR REPORT 4

KEY FINDINGS

While an overwhelming majority of surveyed organizations (approaching 90%) are

familiar with the EU GDPR regulations, only about a third (32%) state that they are

compliant or well on the way to compliance.

Approximately 30% of surveyed companies report that they will need to make

substantial changes to security practices and technology to be in compliance with

EU GDPR policies.

The primary challenges in becoming compliant with EU GDPR policies are lack of

budget (32%), limited understanding of the regulations (29%), and lack of expert

staff with critical skills (28%).

The most important initiative in meeting EU GDPR compliance is to make an

inventory of user data and map it to protected EU GDPR categories (49%). The next

most significant initiative is to design applications and databases to have privacy

enabled by default (31%).

A substantial majority (65%) of organizations where EU GDPR compliance is a top

priority already have or plan to have a Data Protection Officer (either in-house or

outsourced).

1

2

3

4

5

2017 GDPR REPORT 5

DEADLINE

2018MAY

Expert(have deepknowledge)

Knowledgeable(quite familiar)

Limitedfamiliarity

Not at allaware

16%

7%

34%

22%19%

28%

6%

22%

Familiar(know some

details)

25%21%

North AmericaEurope

REGULATIONS

ARTICLE 1

ARTICLE 2

ARTICLE 3

Q: How familiar are you with the EU GDPR?

FAMILIARITY WITH EU GDPR REGULATIONS

Given that the EU GDPR goes into effect in May 2018, it is reasonable to expect familiarity with the regulations. It’s

not surprising that companies headquartered in Europe have a higher level of familiarity than those in North America.

2017 GDPR REPORT 6

7%

55%

12%

Many will befined for noncompliance

No one willbe fined for

non compliance

A few organizationswill be made an

example of, but mostwill be given a pass

Expert(have deepknowledge)

Familiar(know some

details)

Knowledgeable(quite familiar)

Limitedfamiliarity

Not at allaware

58%

6%

36%40%

53%

7%

34%

63% 63%

3%

16%21%

10%

45% 45%

Q: How strictly do you believe the EU GDPR regulation will be enforced when it officially comes into effect?

ALL RESPONDENTS BY LEVEL OF FAMILIARITY WITH REGULATIONS

Overall, only a few organizations expect that EU GDPR regulations will have substantial impact. However, companies

claiming greater knowledge of the regulations believe that there is a far greater consequence – suggesting the

importance of studying and understanding the regulations.

ANTICIPATED REGULATORY IMPACT

2017 GDPR REPORT 7

Retail Government Technology Financialservices

Healthcare HigherEducation

Energy

50%50%44%

33%

23%

50%

10%

38%

58%

4%

56%

33%

11%

20%

33%

67%70%

10%

40%

Many will be fined fornon compliance

No one will be fined fornon compliance

A few organizations will be made anexample of, but most will be given a pass

Q: How strictly do you believe the EU GDPR regulation will be enforced when it officially comes into effect?

The anticipated regulatory impact varies significantly by industry. This is likely indicative of the amount of personally

identifiable customer information that is collected in the course of business operations.

REGULATORY IMPACT BY INDUSTRY

2017 GDPR REPORT 8

It’s one of thetop 3 priorities

for my company

It’s one of anumber of priorities

It’s not a priority

26% 28%

46%

Q: How high of a priority is EU GDPR compliance to your company currently?

With many companies being familiar with EU GDPR regulations, the next question was whether this understanding

translated into a priority to be in compliance. A large proportion of companies indicated that compliance a priority.

COMPLIANCE PRIORITY

2017 GDPR REPORT 9

18%

49%

33%

Europe North America


for my company

It’s one of anumber ofpriorities

It’s nota priority

43%40%

17%


for my company


It’s nota priority


The next question was whether the priority GDPR compliace varies by region. Not surprisingly, compliance priority is

substantially higher for EU based companies.

COMPLIANCE PRIORITY BY REGION

2017 GDPR REPORT 10

RetailGovernmentTechnology Financialservices

Healthcare HigherEducation

Energy

It’s one of the top 3 priorities for my company It’s one of a number of priorities

47%

14%

29% 25%

57%42%

17% 13%

80%

50% 63%34%


The next question on compliance was whether GDPR priority varies by industry. As seen below, there is a wide

variance of priority by industry, with compliance being a top 3 priority in the Technology, Energy, Financial Services,

Healthcare and Higher Education sectors.

COMPLIANCE PRIORITY BY INDUSTRY

2017 GDPR REPORT 11

It’s one of the top3 priorities formy company

It’s one of a numberof priorities


We are well into the process We are in compliance today

8%5% 4%

47%

26%

4%

Q: How prepared is your company to meet EU GDPR regulations by the deadline?

It’s not surprising that preparedness should be directly related to compliance priority. The survey findings support

this – organizations where EU GDPR compliance is a high priority are further into the process.

GDPR PREPAREDNESS

2017 GDPR REPORT 12

Q: What team within your company has primary responsibility for ensuring EU GDPR compliance?

In general, Information Security teams have primary organizational ownership for meeting EU GDPR compliance.

However this is much more pronounced for companies where compliance is a top priority.

ORGANIZATIONAL OWNERSHIP

InformationTechnology

Legal OtherFinancialInformationSecurity




for my company

Information Security Information Technology Legal Financial Other

29%

43%

25%

15%

3%

14%

29%

12%

6%

24%

45%

25%

16%

1%

13%

53%

20%15%

3%

9%

ALL RESPONDENTS BY PRIORITY OF EU GDPR COMPLIANCEALL RESPONDENTS BY PRIORITY OF EU GDPR COMPLIANCE

2017 GDPR REPORT 13

Q: What challenges is your company facing in becoming compliant with EU GDPR regulations?

Organizations have expressed multiple challenges in complying with GDPR. Not surprisingly, lack of budget is cited as

the top challenge.

COMPLIANCE CHALLENGES

32% Lack of budget

29% 28%

Limitedunderstandingof regulations

Lack of expertstaff with

critical skills

Lack ofmanagement

support

Lack ofnecessary

technology

22% 18%

#1

#2 #3 #4 #5

2017 GDPR REPORT 14

Q: Which of the following initiatives are part of your program to be compliant with EU GDPR regulations?

Participants have indicated multiple data initiatives to be compliant with regulations. However, one initiative stands

out – that of making an inventory of user data and mapping them to protected EU GDPR categories.

COMPLIANCE INITIATIVES

49% Making an inventory of user data andmapping to protected EU GDPR categories�

31% 28%

Designing applications

and databasesto have

default data privacy enabled

Audit to track down “rogue”data recordswith personal information

Evaluating solutions to enable users to exercise their data rights

Identify and integrate internally

developed solutions

Identify and integrate external

applications

Stress-testing resilience of proposed

GDPR solutions

28% 26% 24% 17%

2017 GDPR REPORT 15

Q: Our EU GDPR compliance program is most concerned about the following chapters in the EU GDPR regulations

While the EU GDPR regulations are complex and have many chapters, the primary area of concern is with the chapter

on “Rights of the Data Subject”.

GDPR CHAPTERS OF CONCERN

Chapter 1:General provisions

Chapter 2:Principles

Chapter 3: Rights of the data subject

Chapter 4:Controller and processor

Chapter 5:Transfer of personal data to third countries of

international organizations

Chapter 6:Independent supervisory authorities

Chapter 7:Co-operation and consistency

Chapter 8:Remedies, liability and sanctions

Chapter 9:Provisions relating to specific data processing situations

Chapter 10:Delegated acts and implementing acts

Chapter 11:Final provisions

28%24%

22%

20%

17%

16%

16%

13%

11%

11%

7%

2017 GDPR REPORT 16

Q: Which of the following provisions are of the most concern to you?

The EU GDPR regulations have many articles. A significant article of concern is the “Right to be forgotten and to

erasure”. For many organizations, it is a challenge to comply promptly with requests to remove and redact personally

identifiable data, due to challenges in properly tagging and classifying data.

GDPR ARTICLES OF CONCERN

Article 5:Principles relating to personal data processing

Article 10A:General principles for the rights of the data subject

Article 17: Right to be forgottem and to erasure

Article 18:Right to data portability

Article 23:Data protection by design and by default

Article 30:Security of processing

Article 33:Data protection impact assessment

Article 40:General principle for transfers

33%

32%

32%

29%

27%

25%

25%

16%

2017 GDPR REPORT 17

Q: To what level will your company’s security practices and technology need to change to be in compliance with EU GDPR policies?

It’s not surprising that the anticipated impact on an organization’s security practices and technology increases

significantly with the priority of EU GDPR compliance. Those companies needing to be compliant likely have a better

understanding of the impact.

IMPACT ON SECURITY PRACTICES

No change at all




for my company

No change at all Substantial changeRelatively minor change

15%

35%40%

26%

9%

64%

27%

7%

57%

36%

Relativelyminor change

56%

Substantialchange

29%

ALL RESPONDENTS BY PRIORITY OF EU GDPR COMPLIANCE

2017 GDPR REPORT 18

Q: What proportion of the IT Security budget will be devoted to compliance with EU GDPR policies?

As a corollary, it’s not surprising that the anticipated impact on security budget increases significantly with the

priority of EU GDPR compliance. Those companies who need to be compliant will likely have to spend a larger

proportion of their budget.

IMPACT ON SECURITY BUDGETS

Less than 5%

5%-10%

10%-20%

20%-50%

More than 50%

50%23%

15%

9%

3%

It’s not a priority It’s one of a number of priorities

It’s one of the top 3 priorities for my company

81%

16%

1% 1% 1% 1%

45%

27% 26% 24%23%19%9%

20%

7%

ALL RESPONDENTS

BY PRIORITY OF EU GDPR COMPLIANCE

2017 GDPR REPORT 19

Q: Over the next 12 months, our company’s data governance budgets will increase by ..?

A different way of asking the budget question is to enquire about the anticipated growth on data governance

budgets. Here again, the consistent response is that growth in budget appears strongly related to priority.

DATA GOVERNANCE BUDGETS




for my company

Decrease Stay the same Increase by up to 10% Increase by up to 10%-30% Increase by up to 30%-50% Increase by more than 50%

14%

6%

41%

26%20%

6%1%

5%

28% 27%

12%8%

14%

6% 6%3%

57%

42%

21%

18%

7%4% 8%

20%


2017 GDPR REPORT 20

Q: Do you have a Data Protection Officer (DPO) role and/or title in your company?

The majority of respondents either have or plan to have a Data Protection Officer. The existence of, or plans to have, a

Data Protection Officer is strongly related to the priority of EU GDPR compliance

DATA PROTECTION OFFICERS




for my company

We have a DPO (either in-house or outsourced)

We plan to have a DPO (either in-house or outsourced)

We don’t plan to have a DPO (either in-house or outsourced)

We are not required to have a DPO

33%

21%

12% 12%

43%

24%

39%

26%31%

14%

We have a DPO (either in-house or outsourced)

We plan to have a DPO (either in-house or outsourced)


2017 GDPR REPORT 21

DEMOGRAPHICS

2017 GDPR REPORT 22

DEMOGRAPHICS

The 2017 GDPR Report is based on the results of a comprehensive online survey of over 520 companies from

different geographic regions, with a predominant proportion from Europe.

REGION

59% 29% 3%

1%

8%

Europe North America APAC LATAM Other

INDUSTRY

DEPARTMENT

CAREER LEVEL

Technology Financial Services Government Higher Education Healthcare Retail Energy Other

Information Security Information Technology Data protection Legal Other

CISO DPO/Privacy Officer VP of IT VP of Security DIrector Manager Analyst Other

COMPANY SIZE

1-250 251-500 501-1000 1001-5000 5001-10,000 10,001-20,000 20,000+

45% 5% 4% 3% 2%10% 6% 23%

51% 7% 7% 4% 10%6% 15%

48% 21% 7% 22%3%

22% 4% 3% 2% 19% 27% 12% 10%

2017 GDPR REPORT 23

5 STEPS TO GDPR COMPLIANCE

2017 GDPR REPORT 24

CISO TO DPO

Responsibility Transfer

With the EU GDPR going into effect, the responsibilities of the CISO/Head of Security will shift. This will result in

moving Risk Management, Governance, Business Enablement, and Project Delivery Lifecycle to the Data Protection

Officer (DPO)/Head of Privacy and having dotted lines to Identity Management and Security Operations.

The role of the DPO will be much like a Compliance Officer, with the additional responsibilities of overseeing sensitive

data handling and impacted business processes. We’ve mapped out how the responsibilities will transfer from CISO

to DPO.

IdentityManagement

SecurityOperations

CISO DPO

RiskManagement

Governance

BusinessEnablement

ProjectDeliveryLifecycle

BudgetLegal &Human

Resources

Compliance& Audits

2017 GDPR REPORT 25

PREPARATION TIMELINE

We’ve taken Data Governance, Identity and Access Management, and Data Migration processes and aligned them

with the EU GDPR to outline how long each foundational piece will take to execute.

Raise Awareness& Gather

Information

EnforceChange &Maintain

ImplementChanges

Plan &Prioritize

1 2 3 4

7 Months 5 Months

5 Months Ongoing

2017 GDPR REPORT 26

REGULATORY SANCTIONS

The current maximum fine in the UK through the Data Protection Act is £500,000 [$615,000]. With the EU GPDR

there will be a 3,600% increase in the maximum fine to an organization.

If the companies below were found non-compliant under the EU GDPR they would have been assessed the following

4% fines based on their 2015 reported global revenue:

€20Mof the annual global revenueof the preceding financial yearin the case of an enterprise4%

or

(whichever is greater)

Maximum fine of

$1,771,600,00

$3,327,200,000

$4,280,000,000

$8,624,000,000

[~$22M]

€20Mof the annual global revenueof the preceding financial yearin the case of an enterprise4%

or

(whichever is greater)

Maximum fine of

$1,771,600,00

$3,327,200,000

$4,280,000,000

$8,624,000,000

[~$22M]

2017 GDPR REPORT 27

WHAT TO BUDGET FOR

PwC recently conducted a survey of 200 CIOs, CISOs, General Counsels, CCOs, CPOs and CMOs from US companies

with more than 500 employees. 77% plan to spend $1 million or more on the EU GDPR. Below are 8 ways to outline

your budget and prepare for May 25, 2018.

Data inventory& mapping

Privacy & state-of-the-artsafe by design and by default

Solutions to enable theexercise of art (15-22)

data subject rights

Train employees tobe GDPR proficient

Incentives for hunting down“rogue or non-obvious”personal data records

Stress testing GDPRresilience of the

solutions proposed

Co-ordinate and integratethe solutions crowdsourced

from the business

Hire both a GDPRarchitect and a

GDPR DPO

2017 GDPR REPORT 28

HOW STEALTHBITS CAN HELP

“You need to know what sensitive data you have, where it is, and who has access to it. Governance should ensure that access is limited to those who really need it and actual access is checked against this list.”

- 2016 Verizon Data Breach Investigations Report

CHAPTER II

Principles

CHAPTER IV

Controller and Processor

ARTICLE 5

Control 1(f)& 2

ARTICLE 24

Control 1

ARTICLE 33

Control 1

ARTICLE 25

Control 1 & 2

ARTICLE 32

Control 1 (b,c,d)

& 2 & 4

Principles

relating to

processing

of personal

data

Data

protection

by design

and by

default

Security of processingResponsibility

of the

controller

Notification

of a personal

data breach

to the

supervisory

authority

2017 GDPR REPORT 29

ABOUT US

2017 GDPR REPORT 30

SPONSOR

STEALTHbits | www.stealthbits.com

STEALTHbits Technologies is a cybersecurity software company focused on protecting

an organization’s credentials and data.

By removing inappropriate data access, enforcing security policy, and detecting

advanced threats, we reduce security risk, fulfill compliance requirements and decrease

operations expense.

Identify threats. Secure data. Reduce risk.

https://www.stealthbits.com/

http://www.bitglass.com/

EU GDPR REPORT - Cybersecurity Insiders...European Union General Data Protection Regulation (EU...

Documents

Transcript of EU GDPR REPORT - Cybersecurity Insiders...European Union General Data Protection Regulation (EU...