24/05/2018

GDPR is a continuing risk management process

GDPR

The European General Data Protection Regulation (GDPR) goes into effect today. For FERMA members, it is a continuing risk management process. There has been an enormous jump in awareness of the potential misuse of personal data this year, and it has thrown the spotlight on companies, and the way they manage the data they hold.

For the risk manager, the first priority is to ensure continuing compliance with GDPR as part of the organisation’s management of digital risks. This is a continuing exercise in the fast changing digital world. A second priority is to understand the associated reputation risks. In addition to some potentially very large fines, a company could be forced to alter its business model as the result of a breach of GDPR. 

FERMA has called for organisations to create dedicated internal cyber governance groups, led by the risk manager, to address digital risks across the whole enterprise. The group would support the organisation in meeting its obligations under the GDPR and Network Information Security Directive, now transposed into member state laws, and in managing other cyber risks.  

During discussions on GDPR, FERMA urged an enterprise risk management (ERM) approach to digital risks and proposed that risk managers could serve in the new role as Data Protection Officer (DPO) under the GDPR. FERMA has consistently argued that cyber security cannot be the sole responsibility of the IT department.

The President of FERMA Jo Willaert says, “We do not yet know how member states will begin enforcement of GDPR, but the consequences of non-compliance are potentially very serious. GDPR goes to the heart of the way that many large companies operate today, and could affect opportunities they would like to gain from data. Data is one of the largest assets a company holds, so these are truly enterprise issues that affect strategic aspects of the board’s mandate, including valuation, reputation and trust. The management of digital risks is a corporate issue that should be reflected in the governance of the company.”

FERMA board member with responsibility for cyber, Philippe Cotelle, commented: “GDPR has been a catalyst for increased awareness of data issues. Therefore, not only has the management of personal data improved but the way that we deal with data overall.”

For a look on FERMA activities on GDPR over the last four years, see also: