With Less Than 100 Days to Go, How to Get C-Level Buy-in for GDPR Compliance

For GDPR compliance initiatives to work effectively, there has to be buy-in from the boardroom. That doesn’t just mean releasing the necessary funds to bolster efforts ahead of 25 May, but understanding the need for long-term cultural and process changes to the organisation in the years to follow.

However, with less than 100 days to go until the compliance deadline, only a quarter (26 per cent) of European firms are fully compliant, according to Forrester. So how can you drive greater awareness at senior levels of your organisation?

The good news is that new Centrify research suggests that the C-level is highly aware of the financial risks associated with data breaches, placing them above all others in terms of importance. It’s helpful for the C-level to understand that compromised identity, not malware, is the biggest cyber threat facing the organisation.


Our study of 800 C-suite executives in the US and UK should be of some comfort for those still wondering how to get buy-in for GDPR initiatives. It revealed that the majority (63 per cent) of UK executives who have suffered a breach in the past consider cost the most important impact. Why is this good news? Because the GDPR is set to raise the level of non-compliance fines for data protection issues to £17 million, or 4 per cent of global annual turnover — whichever is greater.

63% of UK executives who have suffered a breach in the past consider cost the most important impact.

While it’s unclear how strictly regulators will enforce these powers, they serve as an important line in the sand designed to show companies the importance of protecting personal data. CEOs and CFOs in particular may historically have thought of breaches as simply a cost of doing business. Hopefully, the prospect of serious fines will encourage a more considered response, and greater investment of resources into security controls to aid compliance.

A small minority of respondents claimed they were also worried about loss of customers (16 per cent) and damage to the company’s reputation (11 per cent) following a breach. It’s therefore also worth reminding the board that, thanks to the 72-hour mandatory notification requirement, there will be no place to hide for companies that suffer a serious incident.


Once you’ve secured that buy-in, the next question is which security controls to focus on with your compliance efforts. This is when it gets a bit tricky because there’s no detailed checklist as such in the regulation. Instead, organisations are urged to process data in a way that “ensures appropriate security of the personal data, using appropriate technical and organisational measures”, taking into account “the state of the art” and “the costs of implementation”.

Broadly speaking, this means following current best practices in security along defence-in-depth lines. However, it’s important to note where the biggest threats may come from. Our research found a disconnect between perception and reality: malware was considered the biggest threat to organisations by 44 per cent of respondents, versus default weak or stolen passwords (24 per cent) and privileged user identity attacks (29 per cent). Yet, when it came to respondents that had actually suffered a breach, only 11 per cent claimed it was due to malware, while 21 per cent blamed privileged user identity attack or the result of stolen/weak passwords.

Organisations must certainly address the malware threat with the appropriate tools. But the reality is that most enterprise threats today begin with phishing emails and other attacks on credentials. Verizon claimed in its 2017 Data Breach Investigations Report that 81 per cent of hacking-related breaches leveraged stolen and/or weak passwords, for example.


In our new cloud- and app-driven world, legacy perimeter approaches are simply no longer fit-for-purpose. You must therefore assume that users inside a network are no more trustworthy than those outside the network. This “Zero Trust” approach to identity means implementing “always verify” policies for users, endpoints, networks, servers and applications.

There are four key pillars:

  • Verify the user: based on location, behaviour and device, and via multi-factor authentication (MFA), which removes the risks associated with static passwords.
  • Validate the device: via device identity and security posture. Logins seen as “risky” may require extra authentication steps.
  • Limit access and privilege: a least-privilege, role-based access model ensures users have just enough access to do their jobs, and no more.
  • Learn and adapt: choose systems that use machine learning and behavioural analytics to better spot unusual activity.

Security controls are only one part of the GDPR, but an important one. The C-suite is clearly already concerned about the potential costs of a breach, so this could be a good opportunity to get C-level buy-in to compliance programmes. However, it’s also important to wrap this up in a holistic discussion that covers reputation and using security as a differentiator.

GDPR compliance is not a one-off task: the regulation is here to stay, so organisations must think long term to succeed.