As the final months approach before the EU's General Data Protection Regulation (GDPR) goes into effect in May, 2018, organizations are making significant investments to ensure they are prepared for the changes to come, particularly the strict rules on handling consumers’ personally identifiable information (PII).
However, the challenge that continues to surface during conversations with organizations relates to the speculation over the regulation’s unknowns.
This is predominantly driven by the leeway that the GDPR governing body has when it comes to assessing fines for data breaches and non-compliance, claiming that organizations must provide a “reasonable” level of protection for personal data, without defining what constitutes “reasonable.”
Further, since the mandate does not go into effect until May, 2018, there is no historical data that can be leveraged for the magnitude of fines imposed. With such uncertainty, how do organizations ensure they are prepared to meet the rigorous requirements of the GDPR?
Let’s start by leveraging the information about GDPR that is known:
- Penalties of up to 4 percent (or €20 million) of global annual turnover, whichever is higher, can be imposed for non-compliance
- Organizations will be required to report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected. Fines could be up to 2 percent (or €10 million), whichever is higher, for failing to notify a data authority
- Local data authorities will have additional resources to investigate and audit organizations that fall under the GDPR jurisdiction
- Generally speaking, a violation of GDPR requirements for consent will be subject to higher level fines. Violations concerning age of consent will be subject to lower level penalties
- The types of data that are deemed PII are clearly defined for GDPR
Now let’s add the information that may be available to an organization:
- The magnitude of PII records that are stored/processed, as defined by GDPR
- An inventory of the systems (applications and supporting IT infrastructure) that store and/or process PII, as defined by GDPR, along with the flow of that data from origin to its final resting place. This information is critical as it helps to minimize the scope of the assets to consider in risk analyses.
- Whether customers have a downstream reliance on the organization to be in compliance with GDPR, which could result in loss of business if a breach were to occur
- Controls in place to mitigate and skew potential impact of fines to a minimum (i.e., encryption controls, DLP blocking mechanisms, etc.)
- Current loss magnitude figures based on historical data or industry imposed fines
Pulling this information together, organizations can estimate a new range of potential penalties and compare these to current loss magnitude estimates either for data breaches found internally or from industry data.
Max/Min/Most Likely Values
Maximum values can be pulled directly from the GDPR guidance listed above. Estimates for minimum values can be determined by leveraging current loss magnitude figures based on historical fines from other regulating bodies.
Finally, the most likely values can be determined by skewing the estimates either toward the minimum or maximum values based on assumptions from the considerations above. For instance, is the organization more susceptible to violations of the requirements for consent or age of consent?
Incident Response Costs
Estimates for incident response costs can also be adjusted based on the GDPR’s 72-hour notification requirement. Again, start with figures that are known (i.e., figures based on current response times) and use ranges to account for those unknowns. Ensure that the updated figures take into account the level of effort to identify the root cause and impact of the breach within the 72-hour window.
Adjustments can also be made to account for reputation impact. For instance, if customers have a downstream reliance on the organization to be in compliance with GDPR, this could result in loss of business if a breach were to occur.
Once appropriate adjustments to loss magnitudes have been made, organizations can use the FAIR model to perform risk analyses based on quantitative values in financial terms to help prioritize IT spend for GDPR related remediation efforts, such as types of encryption to invest in, and where in the organization to invest first.
Risk analytics tools that use the FAIR model and that leverage Monte Carlo simulations can show decision makers their risk levels across a wide range of probable outcomes. Examples of such tools are FAIR-U, a free single-scenario training app provided by the FAIR Institute, and RiskLens, a commercial enterprise-level software.
Finally, an overarching critical success factor in preparing for GDPR is recognizing that organizations should not prepare risk analyses in silos. In fact, this approach is key when performing any risk analysis using FAIR.
Key stakeholders and SMEs from the business should be actively engaged in providing data inputs for risk analyses in order to provide results that are defensible. This will also create the necessary transparency to show the GDPR governing body that risk has been mitigated to an “acceptable” level.