Governance, Risk and Compliance

GDPR: Can Automation Solve Compliance Headaches?

Where calls to “get ready for GDPR” permeated last year’s InfoSecurity Europe conference in London, keynote speakers at this year’s event—conducted just 10 days after the European Union’s regulatory enforcement deadline—put a stronger spotlight on GDPR compliance and sunk more serious messaging teeth into their talks.

Author: ISACA’s Laurel Nelson-Rowe
Author: ISACA's Laurel Nelson-Rowe

Nowhere was this more evident than during the event’s “EU’s GDPR Is Here– Now What?” panel, where two enterprise privacy and security officers, a Microsoft cyber senior executive and a UK GDPR policy lead weighed the realities and rigor of the new regulatory environment.

Vivienne Artz, chief privacy officer for Thompson Reuters, said the organization has “put its house in order. Privacy, privacy and security by design are the new normal.”

Critical to Thompson Reuters progress, according to Artz, was senior management buy-in. GDPR support and change “must be a top-down exercise. Privacy cannot be delegated to a department. It is each individual who is now personally responsible,” she noted.

GDPR’s requirement that organizations report security breaches within a 72-hour period reinforces the individual employee awareness and activation, especially of documented, regularly practiced breach notification policies, according to Artz.

“If you don’t have a breach notification policy, you’re fried,” Artz declared.

Artz and Trainline security director Mieke Kooij emphasized understanding the regulation’s fine details, and working collaboratively, and very actively, across IT, audit, assurance and legal. For instance, “there are new things defined as ‘breach,’” and org-wide awareness is essential to avoid complaints and penalties, said Kooij.

The enterprise leaders emphasized their need for more automated services and tools to support regulatory requirements, such as data sourcing, mapping, data types and data access—a theme echoed by Johnnie Konstantas, Microsoft Enterprise Cybersecurity Group senior director. She said Microsoft, and most other technology and cloud service vendors, are deploying such capabilities given that GDPR lays additional burdens on the always accelerating pace of change in “applications, services and data … and of the supply chain. All of it as a very dynamic environment.”

And while not asserting the Information Commissioner’s Office (ICO) will “fry” non-compliant enterprises, technology policy head Nigel Houlden said “It’s fair to say there are some panicking” given GDPR’s requirements and impact across EU-based organizations and all entities that do business or have customers in the region.

“If an organization is willful, disregardant and neglectful of GDPR, you will be investigated. You will feel the force of … the authority of enforcement,” Houlden said. “We will not ignore anything, even the smallest complaint, if there is harm done.”

So, while leading up to the GDPR enforcement deadline, an ISACA survey asked participants about their GDPR readiness, maybe now the question should be along the lines of whether you are GDPR

  • Compliant
  • Neglectful
  • Panicked
  • Fried
  • Exhausted
  • or all of the above?

Editor’s note: For more GDPR resources from ISACA, visit

Laurel Nelson-Rowe is director of strategic communications at ISACA. Read more ISACA blogs here.