How Prepared are Nordic CIOs for GDPR Compliance? Carla Arend To what extent is your organization preparing for the General Data Protection Regulation (GDPR) to take effect? IDC #EMEA42212817 (January 2017) Source: IDC's 2017 Nordic CIO Survey (n = 182)

Nordic CIOs' GDPR readiness is very patchy Nordic CIOs' GDPR readiness is very patchy. The key to GDPR compliance by May 2018 is getting started. GDPR compliance is one of the major initiatives that organizations need to nail in 2017 and 2018. Although GDPR compliance seems to be a European issue at first sight, it actually applies to all organizations globally that are collecting or processing European citizens' data. Lessons on readiness learned from the Nordic CIOs are: Start planning. May 2018 seems a long way off, but GDPR compliance implementation take a long time. 16 months will seem like a short time once you get started. Luckily, 31% of Nordic CIOs have a solid plan in place that will get them safely toward the May 2018 deadline. 33% of respondents will start planning soon, which hopefully will get them well underway. IDC encourages all organizations to begin planning for GDPR compliance as soon as possible. Compare GDPR with your current data protection laws. You might be surprised by the differences. 15% of Nordic CIOs believe that they are already very close to compliance with GDPR, as they are compliant with the current data protection law. However, GDPR has a much wider scope in what it classifies as "privacy relevant" data and provides significantly improved rights to "data subjects," including the right to data access, correction, and erasure or "right to be forgotten" (RTBF). Don't wait for further guidelines. Even though local data protection authorities in each country are working on the fine details of how GDPR will be implemented in their countries, there is a lot you can already do now — educating your organization that GDPR is coming and will affect every department, setting up a cross-functional steering committee, reviewing your current data protection policies, and doing a data flow analysis, just to name a few. There is really no excuse for non-compliance, so start planning now. IDC #EMEA42212817 (January 2017) Source: IDC's 2017 Nordic CIO Survey (n = 182)

Which GDPR Requirement is the Most Challenging? Carla Arend Which of the General Data Protection Regulation (GDPR) requirements will pose the greatest challenge to your organization? IDC #EMEA42215117 (January 2017) Source: IDC's 2017 Nordic CIO Survey (n = 172)

GDPR sets a high bar for personal privacy protection of digital data, which poses considerable challenges for organizations. The high privacy standards set by GDPR poses plenty of challenges to organizations, ranging from process and technology challenges to organizational and cultural challenges. Nordic CIOs have provided their rankings of GDPR-related challenges: Right to be forgotten (RTBF). Unsurprisingly, RTBF poses the biggest challenge of all GDPR requirements. Organizations don't really understand the data they have amassed over the years, and they wonder how they will be able to identify all the data relating to one individual, let alone delete all copies of this data. Balancing RTBF with contradicting regulatory demands for data retention adds an additional layer of complexity. Data protection by design and by default. Organizations will need to document that they have considered data protection from the onset for all products, services, campaigns, analytics initiatives, and so on. Documentation of meetings and decision-making processes will be key to fulfilling this requirement. "State of the art." The future-proofing aspect of GDPR keeps organizations on their toes to regularly review process and technology best practices for privacy protection. Encryption and pseudonymization of data. GDPR adds complexity to every Big Data and analytics project. Striking a balance between getting maximum value from analytics and not violating privacy will be the key to business success. Surprisingly, managing consent ranks much lower. IDC believes managing consent is a core activity for organizations. Data breach notification within 72 hours. This requires technologies to detect data breaches in time as well as to notify the data protection authority and the public (otherwise, reporters or the media will do the informing for you, with bad implications for your company's reputation). IDC #EMEA42215117 (January 2017) Source: IDC's 2017 Nordic CIO Survey (n = 172)

What are the main areas of investment for GDPR compliance for Nordic CIOs? Carla Arend Which areas do you think you will need to focus on or invest in the most? IDC #EMEA42213417 (January 2017) Source: 2017 Nordic CIO Survey, n = 179

GDPR investments are squarely focused on data assessment, governance, and management. GDPR will come into effect in May 2018 and will require significant investments in both data management process updates and security, and Big Data and storage technologies. IDC's 2017 Nordic CIO Survey reveals Nordic CIOs' investment priorities: It's all about understanding your data. Identifying applications that process privacy-relevant data and assessing and classifying data are the top 2 priorities for Nordic CIOs (each with 34% of respondents). An additional 25% of CIOs are investing in dataflow analysis to understand their dataflow end to end. Understanding dataflow, primary and secondary data stores, and data processing is a prerequisite for all GDPR efforts. Get your processes in shape. GDPR compliance is primarily about processes and documentation of processes, which is key to passing the audits. A major part of that is also education of all employees about the importance and impact of GDPR, which is ranked the third priority for Nordic CIOs, closely followed by implementation of documentation processes, control and review processes, and establishment of a governance board. In several GDPR compliance models, establishing a governance board and steering committee and educating employees is seen as the first step. Technology investments are secondary at this stage. Technology investments become relevant once you have established your processes. However, assessing how far your current security, analytics, and storage solutions can get you and where the gaps are is necessary prior to planning new investments. According to Nordic CIOs, the main focus is on investments to identity and access solutions, followed by anonymization solutions for Big Data and analytics, and, last but not least, investments in storage, backup, and archive technologies. IDC #EMEA42213417 (January 2017) Source: 2017 Nordic CIO Survey, n = 179