Enterprise risk management has a primary objective of ensuring organizations comply with the legal and regulatory obligations needed to conduct business. Companies conducting business in the EU must align their processes with the General Data Protection Regulation (GDPR) which was rolled out to replace the antiquated 1995 Data Protection Directive.

We are here to help with a quick guide to ensure your risk management program is GDPR compliant.

What is GDPR?
The General Data Protection Regulation is Europe’s data protection standard. GDPR was the four-year conclusion in an attempt to bring outdated data security laws into the 21st century. The GDPR states the “aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.” The amount of data being collected has vastly increased over the last twenty years and change was needed to meet current demand for updated data protection regulations.

GDPR gives individuals or “data subjects” significant new rights over how their personal data is collected and used by companies. Risk managers must be made cognizant of the fact that if the company collects data in the EU in any way, shape, or form they must adhere to the new security standards. This would include American companies who collect personal data from consumers and collecting data does not require a financial transaction to occur before the regulation kicks in. In a world of economic globalization, GDPR will impact companies all over the world, from China to Australia. Risk professionals on a global scale will need to ensure internal controls are in place to comply with GDPR for all processes involving data collection.

Why does GRPR it matter?
Adhering to legal and regulatory requirements is crucial for any business to lower the risk of adverse actions from governmental entities (e.g. fines, sanctions, etc.). As stated above, any business in the EU or company doing business within the EU has to comply with the GDPR. In today’s globalized economy, this EU regulation is relevant to a large number of companies that must ensure their data protection processes are aligned with the requirements

GDPR came into effect in May 2018 and sets out key guidelines for firms handling personal data of EU citizens.

A few key areas of compliance include:

  • The requirement of parental consent before processing personal data for minors (under sixteen).
  • A mandatory appointed Data Protection Officer (DPO) for companies and public authorities carrying out certain processing activities and public authorities.
  • A 72-hour window for data controllers to report cyber breaches to the proper authorities.

Companies doing business in the EU must be aware of GDPR’s regulatory impact on their data privacy processes. Data protection processes must be audited to ensure they are up to speed with all that GDPR is requiring for its 27-member states, plus the UK who have adopted their own version known as the UK GDPR. Risk management professionals must be aware of how this regulation impacts the pursuit of business objectives.

Data controllers, who determine the purpose and manner in which personal data is processed, have specific requirements that must be met to avoid stiff non-compliance penalties. These penalties are assessed based on specific criteria used to determine the final amount a company will be penalized, such as nature of breach, cooperation, and data type. Penalties are broken down into lower-level and upper-level, fines can range from 2-4% of prior year global revenues or up to 20M euros, whichever is higher. These penalties not only pose a significant risk to companies but can cause severe adverse impact to organizations if taken lightly.

Another GDPR requirement that significantly impacts a company’s risk management program is the 72-hour window to report data breaches by the data controller. If a cyber breach occurs by external entities, a company has a very small window to implement a crisis communication plan to deal with the reputational impact of a cyber breach. Risk management professionals must work to ensure effective, transparent communication strategies are on stand-by in the case of a cyber breach, which are becoming more prevalent by the day. Issues such as these go beyond the realm of GDPR just being an IT compliance issue but one that impacts the entire organization, demanding the attention of enterprise risk management practitioners.

Risk Management Steps to Prepare for GDPR

  1. Know the Rules
    Start by reading the EU GDPR: A Pocket Guide, which condenses the 261 pages of legal jargon into an easy to understand guide that will help get you on the right path to compliance. This guide can be a life saver to cover all the compliance bases in a short period of time.
  1. Scan your Internal Environment
    Perform research and document findings assessing internal processes related to data protection. Any and all data needs to be thoroughly audited avoiding gaps in compliance coverage that can result in missed opportunities to protect consumer data. As business processes evolve, internal data environments should be scanned on a regular basis to ensure constant compliance. Stiff penalties should be a good motivator for updating leadership’s risk tolerance when it comes to data security.
  1. Identify Regulated Data
    Collected data should be audited to identify areas where internal processes require revisions or creation. Data with no required compliance can utilize existing processes as the risk of penalty does not exist. However, data that is required to follow the regulations will need to be placed aside for further evaluation.
  1. Assess and Prioritize Critical Data and Processes
    Critical data housed that is required to run the business should be evaluated first. A risk assessment of all private data should be completed, reviewing policies and procedures to ensure adherence to GDPR requirements. Critical data resources should have priority, then back-ups and other data repositories can be addressed later on. Security measures will need to be updated for all critical data processes; this will result in a more robust IT risk management environment within the organization.
  1. Monitor Data Protection Performance
    Data security measures updated to comply with GDPR should be monitored on an on-going basis. This practice is crucial to ensure there is little to no exposure to compliance risks that could result in severe financial penalties. An added benefit to continuous monitoring of data protection performance is increased risk assurance within and outside the organization. Consumers are more willing to do business with a company that takes pride in ensuring customer’s data rights are being protected during the course of business.

Conclusion
Risk management professionals must establish clear processes for how it protects the data of consumers. Regardless of the organization, leadership will want to make sure consumer data is being protected in alignment with the GDPR to avoid the stiff penalties of non-compliance. This is not a task that simply relates to IT, the adverse impacts of non-compliance span far greater, impacting every level of the organization. However, with the steps outlined above, any company can make sure they have no data protection worries.