GDPR and Risk Management are synonymous with each other, and traditional risk management approaches may not be appropriate in terms of speed and scalability. Gartner states:
“To support digital business’ growth and success, organisations need a set of new risk management principles. Executive leaders should ensure the organisation adopts these six risk management principles to better accommodate the success of their digital business initiatives”
and this framework can help to inform risk mitigation as part of a wider digital transformation strategy.
Within GDPR[2], there are 7 key principles on the management of personal data, which can be aligned to the 6 Risk Assessment Principles shown above:
- Business Outcome Alignment & Risk Data Aggregation – Determining the organisation risk profile, development of GDPR policies & procedures, staff education, understanding responsibilities.
- Lawfulness, fairness and transparency
- Data minimisation
- Accountability
- Self Service & Cyber Judgement – decentralise risk decisions and create ownership, whilst ensuring consistent policies and education create constant alignment throughout the organisation.
- Integrity and confidentiality
- Process Automation & Adaptive Governance – The creation and maintenance of a secure environment, can be challenging in a fast paced, transforming digital business, making process automation a critical component in the overall risk management.
- Accuracy
- Purpose limitation
- Storage limitation
Without appropriate risk management, your organisation is at risk of non-compliance with GDPR, the consequences of which are significant, both reputationally and financially[3].
It’s common for organisations to assume that with the appropriate cyber protection in place, their risk profile is low, based on external cyber-attacks. However, risk management is far more than simply data security. It affects many other risks that companies deal with on a regular basis, so a framework for risk management is absolutely essential.
One size doesn’t fit all. Your risk management framework must be proportionate and appropriate to the size of your organisation and key to that is understanding the overall appetite for risk. A GDPR risk assessment is the starting point to identify gaps in compliance. An assessment will identify, analyse and evaluate threats and vulnerabilities, allowing your organisation to plan the overall framework approach.
Some of the key areas of note that should be addressed are:
- Compliance: a fine of up to €20 million or the amount that represents 4% of the annual global turnover is a huge financial risk that will whet the appetite of most organisations in terms of assessing their GDPR maturity.
- Reputational: organisations need to demonstrate their GDPR compliance to ensure client trust and assurance of processing their data.
- Cyber security: a secure environment, ideally complying with ISO27001[4], where appropriate, is the absolute starting point for GDPR compliance.
As a starting point, Peru offers a GDPR assessment[5] using our proprietary maturity framework. The resulting report will allow the leadership team to fully understand risks, gaps and work together to provide and implement action plan to remediate.
Footnotes:
- Gartner – 6 Risk Management Principles to Drive Digital Business Success – ID Ref G00730415
- ICO – Guide to GDPR
- ICO Enforcement Action – Monetary penalties
- ISO/IEC 27001 – Information Security Management
- Peru Case Study – GDPR Compliance
