How GDPR Will Change the Way Organizations Assess and Manage Risk

January 24, 2019  Jay Soni

The alarming proliferation of cyber-attacks on large organizations and governments across the globe has created a heightened state of awareness, which has spawned policymakers in Europe to draft and adopt new data protection regulations. The General Data Protection Regulation (GDPR) sets out to replace and expand upon the 1995 Data Protection Directive.

What is the GDPR?

Organizations that handle or process EU resident’s data will need to be compliant with the regulation by May of 2018 or face hefty fines. Companies found non-compliant will be subject to fines up to 20 Million EUR or up to 4% of world-wide turnover (revenue). It’s no wonder organizations are scrambling to implement the necessary changes within their security and risk management teams.

What is notable about GDPR, is the shift to a risk-based approach to managing many of the articles outlined in the regulation. GDPR uses the terms “risk” and “high risk” throughout, in which “high risk” labeled activities or data, triggers certain requirements by organizations. For example, when an activity is considered “high risk”, a risk assessment is required with applicable controls applied to mitigate the risk. This must be done with the consultation and oversight of the Data Protection Officer.

While GDPR provides some guidance on what is considered “high risk” activities, much is still left to be interpreted by each organization. This will no doubt require companies to put an emphasis on adopting a consistent, practical and defensible risk assessment methodology, especially those in sectors like banking, healthcare and retail, who tend to process more sensitive data.


The problem is that many organizations in the EU today take a “one size fits all” compliance-based approach to information risk management and are currently unequipped to meet some of the stringent mandates that GDPR outlines.

GDPR draws similarities between the Gramm-Leach-Bliley Act (GLBA) of 1999 in the United States. GLBA set forth strict safeguard rules for financial institutions. Hence, EU companies can look to their US counterparts for guidance. Many financial institutions and Fortune companies here in the States have taken a risk-based approach and have implemented quantitative  models to help them consistently define risk and understand their loss exposure in financial terms.

Using a proven standard to analyze risk

One standard information risk model that is gaining domestic and global acceptance is Factor Analysis of Information Risk (FAIR). FAIR is a quantitative risk analysis model that decomposes risk into discrete factors which then allows for information or cyber risk to be quantified. This has enabled companies operating in the US to:

  • Understand Loss Exposure in financial terms “dollars and cents”
  • Prioritize Risk Mitigations
  • Assess the ROI of Security Initiatives
  • Bridge the communication gap between the business, IT and regulators

The clock is ticking for cybersecurity professionals in the EU to get their acts together or risk significant fines that will reverberate down to all stakeholders. Adopting a consistent and defensible risk model, like FAIR, that allows risk to be quantified, may be crucial for organizations who currently rely on compliance checklists or qualitative measurements to meet the standards laid out by GDPR.

At Risklens, we have purpose built our software around FAIR to help large organizations make the leap in their information and risk management programs. Contact us to schedule a demo by clicking the button below.