Accelerating privacy regulation returns as top emerging risk worrying organisations: Gartner

We are now seeing an evolution from GDPR-specific concerns to a broader recognition that their organisations need to overhaul their entire data security governance strategies Matt Shinkman, Gartner

Concerns about rapidly accelerating privacy regulations and their associated regulatory burdens became the top emerging risk that organisations face globally, reports Gartner in its latest Emerging Risks Monitor Report.

The quarterly survey of 98 senior executives across industries and geographies showed that “accelerating privacy regulation” had overtaken “talent shortages” as the top emerging risk.

Concerns around privacy regulations were consistently spread across the globe, denoting the increasingly numerous and geographically specific regulations that companies must now comply with.

“With the General Data Protection Regulation (GDPR) now in effect, executives realise that complying with privacy regulations is more complex and costly than first anticipated,” says Matt Shinkman, managing vice president and risk practice leader at Gartner.

“More budget dollars from IT, legal and information security are going to address GDPR compliance, just as the California Consumer Privacy Act (CCPA) is set to take effect, adding another layer of complexity for companies to navigate in this area.”

Figure 1. Top Five Risks by Overall Risk Score: 2Q18, 3Q18, 4Q18, 1Q19


Q2 2018

Q3 2018

Q4 2018

Q1 2019


Cloud Computing

Accelerating Privacy Regulation

Talent Shortage

Accelerating Privacy Regulation


Cybersecurity Disclosure

Cloud Computing

Accelerating Privacy Regulation

Pace of Change


General Data Protection Regulation

Talent Shortage

Pace of Change

Talent Shortage


AI/Robotics Skill Gap

Cybersecurity Disclosure

Lagging Digitisation

Lagging Digitisation


Global Economic Slowdown

AI/Robotics Skill Gap

Digitisation Misconceptions

Digitisation Misconceptions

Source: Gartner (April 2019)

Sixty-four per cent of respondents indicated that accelerating privacy regulation was a key risk facing their organisations.

The data showed a particularly elevated concern among executives from the banking, financial services, technology and telecommunications, and food, beverage and consumer goods sectors, with at least 70 percent of executives in each sector indicating it as a top risk.

The CCPA is one of several new global privacy regulations modeled after Europe’s GDPR law, which has been in effect since 2018. An increasingly fragmented data privacy regulatory landscape, with new privacy laws also recently enacted in Australia and Japan, have complicated the path to full privacy compliance for many organisations, according to Gartner.

“We are now seeing an evolution from GDPR-specific concerns, which have been on executives’ minds for the past couple of years, to a broader recognition that their organisations need to overhaul their entire data security governance strategies,” says Shinkman. “GDPR compliance is really just the starting gun in this process, and not the finish line.”

A magnitude of privacy concerns

In addition to being rated the top risk this quarter, accelerating privacy regulation was also rated as a risk with “very rapid velocity”, meaning that the risk would have high organisational impact if it were to materialise.

This may hint at a wariness among executives of the potentially large fines and reputational damage associated with violations of GDPR and similar legislation.

Accelerating privacy regulation was also rated as the highest-probability risk of any of the top 10 in this quarter’s report, demonstrating that executives view it as a concrete threat to their organisations.

A number of other emerging risks cited in the survey may also be contributing to executive unease around accelerating privacy regulation.

“Pace of change” was the second overall risk most concerning to executives surveyed.

It was also rated as one with “very rapid velocity”, indicating executives are unnerved by their companies’ inability to avoid disruption and mitigate risk factors.

Concerns around privacy regulations were consistently spread across the globe, denoting the increasingly numerous and geographically specific regulations that companies must now comply with

Concerns about lagging or misconceived digitisation were both among the top five risks, while outdated policies and procedures were flagged as a top 10 risk.

Last quarter’s top risk, talent shortages, ranked third overall this quarter. This may complicate and add expense to staffing efforts around the technical challenges inherent to complying with the new regulations, such as the hiring of data protection officers.

Start with the basics

Gartner has a list of recommendations on how organisations can respond to GDPR, and which can be applied to other emerging data privacy regulations.

First is to know the basics around GDPR.

GDPR applies to all organisations that process and hold the personal data of anyone residing in the EU, regardless of location, says Gartner.

Therefore, GDPR applies to your organisation if it:

  • Has an establishment in the EU;

  • Offers services or goods to residents of the EU; and

  • Monitors an individual’s behavior in the EU.

“GDPR will affect not only EU-based organisations, but many data controllers and processors around the globe,” says Bart Willemsen, research director at Gartner.

“With the renewed focus on individual data subjects and the threat of fines of up to €20 million or 4% of annual global turnover for breaching GDPR, organisations have little choice but to re-evaluate measures to safely process personal data.”

Owners of that personal data now have extended rights under GDPR. These include:

  • The right to be forgotten;

  • The right to data portability; and

  • The right to be informed, e.g., in case of a data breach, or to receive an explanation, for example, in machine learning systems’ automated decision-making.

Even if you determine your organisation doesn’t need to adhere to GDPR, it’s a best practice to assess its impact on your data processing, says Gartner.

Should you hire a data protection officer?

Many organisations under GDPR jurisdiction will be required to hire, appoint or contract a data protection officer.

Gartner says the role both protects business interests and serves as a champion for data subjects, including customers, clients and employees.

Gartner says GDPR also calls for the DPO to report to the “highest management levels” and have full access to the board.

While only one DPO can be appointed, the role can be supported by a dedicated team.

As long as the DPO is accessible and independent, organisations can choose between an internal or external model, and even a centralised or dispersed team, says Gartner.

Thus organisations can choose for one of three choices when recruiting for this role:

  • Hire an external DPO, organisations may need to pay more, given the market demand.
  • Use third-party advisors, such as consultants and lawyers, to supplement legal teams.
  • Train existing staff and help them gain industry-recognised credentials.
  • No caption

Send news tips and comments to

Sign up forCIO newsletters for regular updates on CIO news, views and events.

Follow CIO New Zealand on Twitter:@cio_nz

Copyright © 2019 IDG Communications, Inc.

7 secrets of successful remote IT teams