Before drafting a security strategy, security and risk management leaders need to consider several key questions. As these questions cannot be answered solely by the security team, CISOs need to collaborate with other data security governance stakeholders who, for example, understand the data stored or processed on the organization’s systems.

Gartner has identified five steps security and risk management leaders can take to develop a data security governance strategy and ensure their organization is GDPR-compliant.

  1. Perform risk assessments to identify different data residency, compliance and security threats, and prioritize these threats using a financial assessment.
  2. Identify which datasets and risks need to be addressed, as not all datasets need the same level of security. Some may not need any.
  3. Define an appropriate set of security policies and associated procedures and security architectures for each business risk. Ensure each policy balances the needs of people or entities to access relevant datasets across all available digital business environments.
  4. Use these functions to set the requirements for products that need to be deployed across the organization’s IT infrastructure.
  5. Create access and usage policies for each dataset that are consistent, as data flows across all available digital business environments, applications and endpoints.