However, the challenge that continues to surface during conversations with organizations relates to the speculation over the regulation’s unknowns.
This is predominantly driven by the leeway that the GDPR governing body has when it comes to assessing fines for data breaches and non-compliance, claiming that organizations must provide a “reasonable” level of protection for personal data, without defining what constitutes “reasonable.”
Further, since the mandate does not go into effect until May, 2018, there is no historical data that can be leveraged for the magnitude of fines imposed. With such uncertainty, how do organizations ensure they are prepared to meet the rigorous requirements of the GDPR?
Let’s start by leveraging the information about GDPR that is known:
Now let’s add the information that may be available to an organization:
Max/Min/Most Likely Values
Maximum values can be pulled directly from the GDPR guidance listed above. Estimates for minimum values can be determined by leveraging current loss magnitude figures based on historical fines from other regulating bodies.
Finally, the most likely values can be determined by skewing the estimates either toward the minimum or maximum values based on assumptions from the considerations above. For instance, is the organization more susceptible to violations of the requirements for consent or age of consent?
Incident Response Costs
Estimates for incident response costs can also be adjusted based on the GDPR’s 72-hour notification requirement. Again, start with figures that are known (i.e., figures based on current response times) and use ranges to account for those unknowns. Ensure that the updated figures take into account the level of effort to identify the root cause and impact of the breach within the 72-hour window.
Reputation Costs
Adjustments can also be made to account for reputation impact. For instance, if customers have a downstream reliance on the organization to be in compliance with GDPR, this could result in loss of business if a breach were to occur.
Risk analytics tools that use the FAIR model and that leverage Monte Carlo simulations can show decision makers their risk levels across a wide range of probable outcomes. Examples of such tools are FAIR-U, a free single-scenario training app provided by the FAIR Institute, and RiskLens, a commercial enterprise-level software.
Finally, an overarching critical success factor in preparing for GDPR is recognizing that organizations should not prepare risk analyses in silos. In fact, this approach is key when performing any risk analysis using FAIR.
Key stakeholders and SMEs from the business should be actively engaged in providing data inputs for risk analyses in order to provide results that are defensible. This will also create the necessary transparency to show the GDPR governing body that risk has been mitigated to an “acceptable” level.