Evaluating Data Retention Risk from GDPR Using FAIR

Despite the increased focus and attention on data privacy triggered by GDPR that went into effect in May 2018, studies have shown that organizations still have some strides to make in order to be fully in compliance with the mandate. In fact, a recent survey by Varonis reported that many organizations continue to accumulate data that no longer needs to be retained, despite GDPR’s right-to-be forgotten clause. In fact, 95% of organizations who participated in the survey had 100,000 or more files with stale data belonging to employees or customers. 

In this article, I will share how a large financial organization used cyber risk quantification (based on the FAIR model and RiskLens, our Technical Advisor's cyber risk management software platform) to not only evaluate the amount of cyber risk their stale customer data introduced to the organization under the requirements of GDPR, but also how they leveraged this information to help inform better investment decisions and maximize their return on investment.

The scenario

The analysis was broken out into two separate loss events (Figure 1) that could be measured using the FAIR model (each containing an asset, threat, and effect). The analysis also included two separate future state analyses to evaluate the risk reduction introduced by two investment options: Tokenization and purging of stale data.

Figure 1: Scope of Risk Analysis

GDPR and Data Retention - Scoping

The analysis

Once the loss events were clearly scoped and defined, the organization’s risk analysts began collecting data through structured workshop questions in the RiskLens platform on key risk and control factors including historical number of breach attempts, existence of monitoring tools such as database access monitoring and DLP, number of PII records stored in each system (and how many represent stale data), and resources required to respond to data breaches. The analysis also leveraged industry data points from organizations such as Advisen to estimate the potential fines and penalties from customer and regulatory entities the organization could face from a data breach.

The risk analysts also leveraged RiskLen’s versioning capability to model several “what if” scenarios in the event that either tokenization was implemented on select PII fields of the assets in scope or stale PII were purged from said environments. 

The results 

Over the course of a four-day period, the organization was able to efficiently produce both high-level reporting and detailed results describing, in financial terms, the effect of a data breach involving either a network file share or a database cluster containing stale customer PII.

The figure below shows the average reduction in risk the organization is likely to experience on an annual basis from either 1.) purging stale data or 2.) implementing tokenization. The graph shows an annualized risk reduction of $75M for the data purge option; whereas the tokenization provides a reduction of $135M. The option to implement tokenization; however, came at a significantly higher investment cost (not specified in the graph below).

Figure 2: Risk Reduction Comparison

GDPR and Data Retention - Annual Loss Exposure 3


In conclusion, the amount of stale data present in the organizations environment not only heightened the magnitude of the cost of noncompliance with GDPR's right-to-be-forgotten clause, it also elevated the organization’s loss exposure to a data breach. The results of the quantitative risk analysis also offered insight into another investment decision from management: does the amount of risk reduction justify the investment in data tokenization? The answers to this and similar questions are business decisions that can only be enabled through risk quantification. 

This analysis also adds transparency to show the GDPR examiners that risk has been mitigated to an “acceptable” level given the organization's financial standing, using a language common amongst all stakeholders.

Learn more: 

How to Analyze Your Risk from GDPR: A FAIR Approach

Membership in the FAIR Institute has now topped 5,000. Institute members come from 87 different countries. 20% of the member base is comprised of senior leadership in security and risk. Nearly 30% of the Fortune 1000 are represented in Institute membership.  Join us!

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37