Top three GDPR challenges for the C-Suite


Posted on: April 25, 2018 by Abbas Shahim

Ever since the GDPR was first announced, IT professionals, lawyers, and business leaders have been highlighting concerns about the potential business risks and challenges they could face to become compliant. Negative press surrounding the regulation has warned business leaders of onerous obligations, challenging practicalities and eye-watering financial penalties from the Information Commissioner’s office.

Despite the negativity, there are many business benefits to the regulation. Shortly after it was first introduced, we highlighted how GDPR can be used to positive effect but many business leaders are still struggling to understand what they need to do to become compliant.

While C-Level executives have been aware of the imminent deadline for a long time, the impact of GDPR is often underestimated. The European Commission says only two member states are ready for GDPR and this is highlighted further by the PwC’s Privacy governance report, which reviewed 350 companies in Holland and found that only about 12% were adequately prepared for the new law.

Moreover, the importance of GDPR compliancy have been emphasised by the growing number of cyber-attacks globally with ransomware attacks on businesses around the world rising 50% last year and major organisations, such as Carphone Warehouse, suffering hefty financial punishments for suffering a data breach.

Security and privacy should be two different sides to GDPR and will lead to a new way of working, but what impact will the new rules have on the C-Suite and what are the top three challenges facing those at the top?

Underestimating the impact

A significant challenge that the C-Suite has underestimated is the real impact of GDPR on their business. Many leaders assumed they just needed to implement several controls to protect data including encryption, but this is just one aspect of the ruling. Many C-Level executives believe that GDPR is solely a security issue, and that there is a technical solution, so it falls into the remit of the IT, compliance or security departments. Business leaders need to understand that privacy and security are two separate aspects of GDPR. The challenge has been understanding the breadth of areas that GDPR covers, and therefore the number of departments and people affected by the new legislation.

Building on previous investment

GDPR compliance requires additional controls in, among other aspects, processes, IT infrastructure, and applications. Rather than panic and invest in all new solutions, C-level executives need to know how they can ideally build upon the security investment they’ve made in the past. Organisations are aware of the scale of cyber threats and have invested a lot of money into security practices to protect their core assets. Once again, the focus has been largely on security and less so on privacy, so business leaders have struggled to build on that investment to an acceptable level related to GDPR compliance.

Learnings from the past

The third challenge is around taking learnings from previous compliance with laws and regulations.  There are correlations to the Sarbanes-Oxley Act (SOX) from 2002. More proactive business leaders will have learnt from this regulation. In parallel to SOX, CFOs are mainly concerned with the costs that go with the processes and resources in place to respond to compliance requirements. Containing the cost of compliance ever since SOX’s introduction has been challenging, and reactive approaches to compliance have often contributed to these costs rising. Forward-thinking C-Level executives have learnt from this and developed a rationalized set of controls to put into operation to provably adhere to GDPR requirements.

Our team of experts offers a complete program of support to help C-Suite executives to prepare for GDPR and to ensure continued compliance following implementation. From the initial impact assessment through to the appointment of a Data Protection Officer, GDPR is technically challenging and organizationally demanding, but adhering to its requirements is not optional. Download our brochure on Successfully meeting the challenges of GDPR to find out more about how Atos’ end-to-end approach can help.

Share this blog article


About Abbas Shahim

Business & Management Consultant
Abbas Shahim is partner at Atos Consulting where he heads the international GRC practice. He is also full professor of IT Auditing and GRC at the VU University Amsterdam.

Follow or contact Abbas