The European General Data Protection Regulation (GDPR) goes into effect today. For FERMA members, it is a continuing risk management process. There has been an enormous jump in awareness of the potential misuse of personal data this year, and it has thrown the spotlight on companies, and the way they manage the data they hold.
For the risk manager, the first priority is to ensure continuing compliance with GDPR as part of the organisation’s management of digital risks. This is a continuing exercise in the fast changing digital world. A second priority is to understand the associated reputation risks. In addition to some potentially very large fines, a company could be forced to alter its business model as the result of a breach of GDPR.
FERMA has called for organisations to create dedicated internal cyber governance groups, led by the risk manager, to address digital risks across the whole enterprise. The group would support the organisation in meeting its obligations under the GDPR and Network Information Security Directive, now transposed into member state laws, and in managing other cyber risks.
During discussions on GDPR, FERMA urged an enterprise risk management (ERM) approach to digital risks and proposed that risk managers could serve in the new role as Data Protection Officer (DPO) under the GDPR. FERMA has consistently argued that cyber security cannot be the sole responsibility of the IT department.
The President of FERMA Jo Willaert says, “We do not yet know how member states will begin enforcement of GDPR, but the consequences of non-compliance are potentially very serious. GDPR goes to the heart of the way that many large companies operate today, and could affect opportunities they would like to gain from data. Data is one of the largest assets a company holds, so these are truly enterprise issues that affect strategic aspects of the board’s mandate, including valuation, reputation and trust. The management of digital risks is a corporate issue that should be reflected in the governance of the company.”
FERMA board member with responsibility for cyber, Philippe Cotelle, commented: “GDPR has been a catalyst for increased awareness of data issues. Therefore, not only has the management of personal data improved but the way that we deal with data overall.”
For a look on FERMA activities on GDPR over the last four years, see also:
- 21 February 2018 – GDPR: work needed before the deadline
- 17 October 2017 – Big Data: from risk to compliance in order to generate opportunities (presentation available on demand)
- 15 February 2017 – ERM approach argued for Data Protection Officers
- 23 February 2016 – Risk Conversation at Board level: 2nd webinar with ecoDa and AIG – How to adapt the risk governance to the changing regulatory landscape for personal data ?
- 28 January 2016 – Final agreement on data protection regulation
- 22 August 2014 – Holding private data: data protection regulation & insurance coverage issues