Limitations and risks organisations currently face in the domain of privacy and data security, considering the ever more ‘networked’ working environment. Organizations, together with their partners and service providers, deliver various services and in the process handle vast amounts of personal data. Enforcement of privacy and data security requirements is on the rise. The upcoming reform of the data protection framework in Europe will put higher obligations on organizations, extend the geographic reach of European data protection laws considerably, and dramatically increase the risks of non-compliance by possible penalties of up to 5% of the worldwide turnover or EUR 100 million, whichever higher. Which are the business risks organizations are and will be facing and what can such organizations, besides relying on their CIOs, do in order to limit their exposure?