Do You Have a Roadmap for EU GDPR Compliance?

Do You Have a Roadmap for EU
GDPR Compliance?
David Morris,
Thought Leader
and Pioneer in
Cybersecurity
United States
Ian West,
Specialist in
GDPR, Data
Governance,
Data Privacy &
Security
United Kingdom
Ulf Mattsson,
CTO Security
Solutions
Atlantic BT,
United States
ulf.mattsson@atla
nticbt.com
Khizar A. Sheikh,
Chair, Privacy,
Cybersecurity, and
Data Law,
Mandelbaum
Salsburg
United States
ksheikh@lawfirm.ms

Webcast - Aug 17
3
Title : Do You Have a Roadmap for EU GDPR Compliance?
Description : The General Data Protection Regulation (GDPR) goes into effect in 2018 and it will affect any business that handles
data, even if it's not based in the European Union.
Are you looking to move and host data for EU citizens? Do you have a roadmap and associated estimated costs for EU GDPR
compliance?
Join this webinar to learn:
• Case study and legal/regulatory impact to GDPR
• Security Metrics
• Oversight of third parties
• How to measure cybersecurity preparedness
Presenters : Ulf Mattsson, David Morris, Ian West. and Khizar Sheikh
Date & Time : Aug 17 2017 5:00 pm
Timezone : United States - New York
Webcast URL : https://www.brighttalk.com/webcast/14723/259741

GDPR Case Studies
Source: EU GDPR Report, Crowd Research Partners, 2017 4
1.US and Spain – customer data
2.Italy, Germany and more – financial data
3.Germany – outsourcing
4.Sweden – PII data

US Companies
Ramping up
GDPR
Budgets

PWC GDPR Survey
Source: PWC GDPR Survey, 2017
6
PwC recently conducted a pulse survey of 200 CIOs, CISOs, General Counsels, CCOs, CPOs and
CMOs from US companies with more than 500 employees. The survey asked the c-suite about
their plans for Europe’s landmark General Data Protection Regulation (GDPR). The “pulse”
revealed five surprising results.

Over half of US multinationals say GDPR is their top data-
protection priority
Source: PWC GDPR Survey, 2017 7
The EU reached agreement on the GDPR in December 2015, and in the last twelve months
preparing for the new law’s obligations have jumped to the top of corporate agendas.
Of the 200 respondents to PwC’s recent pulse survey on GDPR preparedness, 54 % reported
that GDPR readiness is the highest priority on their data-privacy and security agenda.
Another 38% said GDPR is one of several top priorities, while only 7% said it isn’t a top priority.

Information security enhancement is a top GDPR initiative
Much of the discussion about the GDPR has focused on the law’s privacy-centric requirements,
such as mandatory record keeping, the right to be forgotten and data portability.
The GDPR’s relatively generic information-security obligations, however, figure prominently in
GDPR plans of US companies.
•Among the 23% of survey respondents who haven’t started preparing for GDPR, their top
priorities are data discovery, information security enhancement, third-party risk management
and GDPR gap assessment.
•Among the 71% who have begun GDPR preparation, the most-cited initiatives in flight are
information security, privacy policies, GDPR gap assessment and data discovery.
•Among the 6% who have completed GDPR preparations, the most-cited projects are
information security, GDPR gap assessment, data discovery, and third-party risk management.
•IT re-architecture is the lowest priority for companies in all three phases.

77% plan to spend $1 million or more on GDPR
Securing a $1 million budget for data privacy has been more an
exception than a rule for many American corporations.
The GDPR’s potential 4% fine of global revenues, however, has changed
budget appetites for mitigating this GDPR risk.
While 24% of respondents plan to spend under $1 million for GDPR
preparations, 68% said they will invest between $1 million and $10
million.
Nine percent (9%) expect to spend over $10 million to address GDPR
obligations.

Binding corporate rules are gaining popularity
The pulse survey asked executives which EU cross-border data-transfer mechanism they
planned to use for processing EU personal data outside of Europe.
After the invalidation of the Safe Harbor agreement in October 2015, most Safe Harbor
members implemented so-called model contractual clauses as a stop-gap measure.
Many observers, especially those in the legal community, thought model clauses would
become the new norm.
While 58% of respondents reported that future strategies would include model contracts, a
stunning 75% said they will pursue binding corporate rules (BCRs), while 77% plan to self-
certify to the EU-US Privacy Shield agreement.
The uncertain future of both model contracts and the Privacy Shield may drive US
multinationals to adopt two or even all three of these options to hedge their risks.

How US businesses are re-evaluating their presence in
Europe
US corporations that are heavily invested in Europe will probably
stay the course in the near term.
Indeed, 64% of executives reported that their top strategy for
reducing GDPR exposure is centralization of data centers in Europe.
Just over half (54%) said they plan to de-identify European personal
data to reduce exposure.
The threats of high fines and impactful injunctions, however, clearly
have many others reconsidering the importance of the European
market.
In fact, 32% of respondents plan to reduce their presence in Europe,
while 26% intend to exit the EU market altogether.

Outlook: Striving to keep pace with the GDPR
American multinationals that have not taken significant steps to prepare for GDPR are already
behind their peers. The typical large US corporation is currently moving through a data-
discovery and assessment phase toward a multi-million-dollar remediation initiative that
includes shoring up standard data-privacy and security capabilities in US operations. As
European regulators in 2017 further clarify how they interpret the GDPR, more American
companies are likely to re-evaluate the return-on-investment of their European initiatives.

GDPR Key Findings

Familiarity with GDPR

GDPR Impact

GDPR Impact by Industry

GDPR Compliance by Region

GDPR Compliance by Industry

GDPR Preparedness

GDPR Organizational Ownership

GDPR - Challenges

GDPR Initiatives

GDPR Chapters of Concern

GDPR Articles of Concern

GDPR Impact on Security Practices

GDPR Impact on Security Budgets

GDPR Study - Demographics
Source: Ponemon Institute, 2017 29

GDPR – Our Sample

GDPR Most Difficult

GDPR PII Definition is more expansive

GDPR – Compliance to Breach Process

GDPR – Plan to meet GRC Requirements

GDPR IT Sec Budget

GDPR Data Governance Budgets

GDPR – Data Protection Officers
Source: Ponemon
Institute, 2017
37

GDPR Governance In-place

GDPR – Rights to EU Citizens?

GDPR – Do you know Which Data has Gone to 3rd
parties?

GDPR compared to PCI, HIPAA and more

Preparing for GDPR: People
Source: IBM, 2017 44

Preparing for GDPR: Process

Preparing for GDPR: Technology

Preparing for GDPR Moving Forward

Steps for for Securing
Data to Comply with the
GDPR

Does GDPR Apply?
Source: Imperva, 2017 49

Checklist for GDPR

GDPR Rules Requires Data Protection Technology

GDPR Prep Now or Pay the Price

GDPR – Plan to go The Distance

GDPR Already a Reality
Source: Cordery Legal Compliance, UK, 2017 56

GDPR – Your Plan

GDPR
12 Steps to take
now
(ICO UK)

Preparing
for GDPR
Source: ICO – Information
Commissioner’s Office, UK,
2017
60

GDPR
Key Problems and
Some Solutions

62
The Currency of Trust: The “Why” of GDPR
Source: Exate, 2017

What will
GDPR cost?
Source: Exate, 2017

The Challenges …
Source: Exate, 2017

The Problem
Source: Exate, 2017

What If …
Source: Exate, 2017

Do You Have a Roadmap for EU GDPR Compliance?

More Related Content

What's hot

Similar to Do You Have a Roadmap for EU GDPR Compliance?

More from Ulf Mattsson

Recently uploaded

Do You Have a Roadmap for EU GDPR Compliance?