FERMA has called for an ERM approach to be included in the Guidelines on Data Protection Officers (DPOs) in its comments to the Article 29 Working Party considering this aspect of the EU General Data Protection Regulation (GDPR).

In its submission to the working party, FERMA sees parallels between the roles of the data protection officer and risk managers and says that an ERM methodology will help ensure a professional approach to the assessment of data protection risks. It further argues that “three lines of defence model” is likely to be relevant in this process and could be updated to the latest cyber law requirements, including the GDPR and notably the new function of data protection officer.

FERMA also believes that the role of DPO does not necessarily need to be a newly created function. It could be exercised by existing positions in the organisation, notably the risk manager, with some adjustments, thus avoiding an extra cost layer.

FERMA has consistently stated that cyber/information security is an enterprise-wide risk and compliance with the GPDR cannot be the sole responsibility of the IT department. FERMA’s working party with the European Confederation of Institutes of Internal Auditing (ECIIA) is developing a set of recommendations on corporate governance processes that will support organisations in managing cyber risks across their operations.