How to Evaluate ROI of Security Investments for GDPR (Case Study)

August 2, 2019  Jeff B. Copeland

“Security Spending to Rise on GDPR Concerns” headlines a recent edition of the Wall Street Journal’s WSJ Pro Cybersecurity newsletter ( subscription required) that details how seriously companies take the EU’s privacy regulations that went into effect last May.

“GDPR has caused a wave of breach reports from companies that feared hefty fines of up to 4% of global revenues if they failed to comply,” the Journal says.

The Journal reports that companies are investing in data inventory and tracking technologies to quickly locate or delete data if required by privacy regulators, in encryption to make sure data can’t be linked to a specific person during processing and identity and access management technologies to meet GDPR rules.

But the Journal also finds that other companies “are holding back from investing in expensive tools to automate these processes until they see how tough European regulators will be.” Recently, the German data protection authority fined a social media company for just $22,700 over a data breach, the Journal reports.

The confusion over security investment for GDPR underscores a guiding principle behind the RiskLens Cyber Risk Quantification (CRQ) platform: Don’t invest based on fear, uncertainty and doubt, use quantitative analysis to uncover the true parameters of your specific risks.

Earlier this year, RiskLens consultants helped a global banking and financial services holding company with over $300 billion in assets prepare for GDPR. In particular, the RiskLens client wanted to find a “reasonable” form of encryption that met the legal requirements. Could management get by with implementing drive encryption, or should they invest in file encryption where this sensitive data is stored?

As a test case, analysts focused on a single database housing 40,000 records.  Through structured workshops, they collected critical information on key risk and control factors such as historical number of breach attempts and presence of data loss prevention (DLP) tools and other controls.  The analysis leveraged industry loss tables to estimate the potential effect a data breach would have on customers and regulators and adjusted to account for additional fines that might be imposed by GDPR.

The powerful “what if” scenario capabilities of the RiskLens CRQ tool allowed analysts to project the effects of different encryption approaches, as well as extrapolate from one study database to the entire operation.

Learn the conclusions of the analysis, and how the financial institution was able to use the RiskLens platform to make business decisions about GDPR based on a quantitative, financial approach to cyber risk – read this RiskLens Case Study.


Quantify Risk Assessment for PCI-DSS, HITRUST, GDPR and More Standards