Role of CISOs and DPOs in GDPR readiness

GDPR ready
Forrester analyst Enza Iannopollo earlier said global enterprises are not yet ready with their GDPR-compliance.

Forrester’s data security survey shows that one in three firms believes they are GDPR-compliant today.

“Our data shows that nearly 30 percent of companies globally are fully GDPR-compliant today. However, based on our qualitative research, we believe that just a portion of these firms have actually engaged in data discovery and classification exercises as well as built data flow maps and run gap analysis,” Forrester said.

Many firms have taken a piecemeal approach to GDPR, which is focused on requirements that rely primarily on IT to meet specific compliance requirements, such as the requirements for data breach notification.

Forrester said these approaches are short-sighted, and most likely will need radical revision after the enforcement of GDPR rules start in May.

In Europe, 26 percent of firms report that they are fully GDPR-compliant. This number is the smallest across geos.

Another 22 percent of European firms expect to be GDPR-compliant within 12 months. Too many firms still believe that GDPR doesn’t apply to them. GDPR has extraterritorial effect. This means that companies that are not physically present in the EU have to comply with the rules.

GDPR applies to companies that engage in data collection and that define the guidelines for processing activities as well as to firms that process data on behalf of their clients and strictly follow their directions.

Firms in regulated industries have a head start on the GDPR journey. Prior experience with tough regulation matters when it comes to GDPR. Firms in highly regulated verticals, such as financial services, have the luxury of relying on established compliance and data protection teams and often also on data protection officers.

For firms not used to regulation, their GDPR journeys must start with the creation of the right team that can then define a framework for the firm’s compliance strategy.

Financial services firms are the most GDPR mature. Companies in financial services across geographies are the most GDPR mature organizations.

Centre for Information Policy Leadership President Bojana Bellamy has discussed the role of chief information security officers (CISOs) in GDPR readiness. Watch the YouTube video below.

Failure to comply with GDPR creates the potential for regulatory enforcement actions that could limit their ability to process customer data in certain ways. Reputational damage and loss of trust might lead their customers to take their business and their data somewhere else.

Media and retail lag behind other industries. Companies in media and retail have an enormous real estate worth of customers’ personal data to rationalize and bring within GDPR compliance. They have only recently started their GDPR journeys, often under the pressure of their own customers.

Many firms have hired a data protection officer (DPO) or they are about to do so. Some firms, mainly outside of Europe, are also planning to use external consultants as their DPO. The presence of a CPO doesn’t necessarily mean that the GDPR budget sits with that role or that the CPO is the ultimate leader of the GDPR compliance strategy.

Forrester said GDPR compliance is not a one-off effort; firms must embed it in the way the business uses personal data daily, and it has to work as long as the firm operates. Regulators have included rules that allow them to potentially audit firms on a continuous basis.

The Forrester report examined the GDPR readiness of companies worldwide ahead of the May deadline for GDPR compliance.

While the main focus is on companies in the EU preparing for GDPR, 33 percent of North American companies are fully compliant with GDPR, followed by Asia Pacific and Latin America – both at 29 percent – and Europe falling behind at 26 percent. The findings also show how companies are deploying GDPR compliance programs and challenges they’re still facing with the transition.