Organisations such as Sony, Yahoo and Sports Direct can attest to the reputational damage that results due to data security failures. The knock on effect of these failures is even greater for the private citizen whose personal information is now potentially available for fraudulent use. The GDPR is rightly aimed at reducing the likelihood of such events.
There have been many articles written on the subject of data protection over the last few years as the EU moved inexorably towards completing the regulatory framework. Organisations that will be impacted by this regulation, by virtue of their use of personal data, now have until May 2018 to put their houses in order.
The GDPR recommends taking a “risk-based” approach to data protection which capitalises upon many of the best practices that are already in existence concerning data security. It also aligns this essential regulatory framework to existing risk management strategies. The regulation does this by encouraging organisations to put in place measures that correspond with the level of data processing that they undertake. High risk, medium risk and low risk classifications are used based upon the likelihood and severity of the impact of an event.
Failure to comply with the GDPR can result in significant penalties, 4% of annual turnover or £20M whichever is higher. The fact that the UK will not be in the EU in the next 2 – 5 years doesn’t mean that UK business don’t need to comply. If your organisation holds, processes or has access to EU citizen data then compliance is required.
So how does this affect the risk professional?
No one generally denies that risk management is a good idea but when it comes down to it, some stakeholders are reluctant to participate. Similarly, management, although appreciative of the benefits of robust risk management often relegate it further down the corporate agenda than perhaps they ought.
The GDPR provides the modern risk practitioner with a vehicle to leverage the need for greater enterprise risk management. To move it from a perceived “nice to have”, to something far more tangible and strategic. In addition, the skillset mastered by the Risk Manager is also ideally suited to the collaborative working that will need to be in place if compliance with the GDPR is to be achieved. So this is an opportunity! Drive forward risk management, get the business to re-engage and demonstrate the value to be accrued from taking it seriously.