The European Union’s General Data Protection Regulation (GDPR), which comes with potentially high fines for noncompliance, is forcing chief information security officers (CISOs) at organizations of all sizes to rethink how they manage data privacy. Yet many still don’t have a data security governance strategy.
“Although GDPR guidelines have been in effect since 25 May 2018, it’s clear that many organizations lack such a strategy or the tools needed to effectively protect sensitive data and maintain privacy and protection,” says Deborah Kish, principal research analyst at Gartner.
“ GDPR is a wake-up call for CISOs to draft new data security strategies”
Their delay in formulating a strategy is due to a myriad challenges. These include compliance mandates such as the NIST Cybersecurity Framework in the U.S., Australia's new breach notification law, and Japan's Act on the Protection of Personal Information (APPI), national access laws and international staff access requirements. As a result, organizations are at different levels of GDPR compliance.
“None of them are completely GDPR ready,” explains Kish. She adds that “CISOs should remember that GDPR is not the ‘silver bullet’ that will resolve all their security governance issues. They need to evolve their organization’s guidelines to ensure data security governance.”