Enterprise risk management has a primary objective of ensuring organizations comply with legal and regulatory obligations needed to conduct business. Companies conducting business in the EU now have a May 25th deadline for compliance with the new General Data Protection Regulation (GDPR) rolled out to replace the antiquated 1995 Data Protection Directive.
Companies do not have much time to review and update data security processes, we are here to help with a quick guide to ensure your risk management program is ready to be GDPR compliant.
What is GDPR?
The General Data Protection Regulation is Europe’s new data protection standard which goes into effect across all of the EU at the end of May. GDPR is the four-year conclusion in an attempt to bring outdated data security laws into the 21st century. GDPR’s site states the “aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.” The amount of data being collected has vastly increased over the last twenty years and change was needed to meet current demand for updated data protection regulations.
GDPR gives individuals or “data subjects” significant new rights over how their personal data is collected and used by companies. Risk managers must be made cognizant of the fact that if the company collects data in the EU in any way, shape, or form you must adhere to the new security standards. This would include American companies who collect personal data from consumers and collecting data does not require a financial transaction to occur before the regulation kicks in. In a world of economic globalization, GDPR will impact companies all over the world, from China to Australia. Risk professionals on a global scale will need to ensure internal controls are in place to comply with GDPR for all processes involving data collection.
Why Does It Matter
Adhering to legal and regulatory requirements is crucial for any business to lower the risk of adverse actions from governmental entities (e.g. fines, sanctions, etc.). As stated above, any business in the EU or company doing business within the EU will have to comply with GDPR. In today’s globalized economy, this EU regulation will impact a large amount of companies that must now ensure their data protection processes are up to par.
As companies must be compliant by May 25th of this year, time to restructure and adjust internal processes to avoid risk of penalties is depreciating rapidly.
A few key areas of compliance include:
- The requirement of parental consent before processing personal data for minors (under sixteen)
- A mandatory appointed Data Protection Officer (DPO) for companies and public authorities carrying out certain processing activities and public authorities
- Data controllers have a 72-hour window to report cyber breaches to the proper authorities
Companies doing business in the EU must be aware of GDPR’s regulatory impact on meeting objectives. Data protection processes must be audited to ensure they are up to speed with all that GDPR is requiring for its 28-member states. Furthermore, Brexit or not, this new regulation will impact UK businesses in one way or another. There is no time for hesitation, risk management professionals must make their leadership aware of how this regulation could impact the pursuit of business objectives.
Data controllers, who determine the purpose and manner in which personal data is processed, have specific requirements that must be met to avoid stiff non-compliance penalties. These penalties are assessed based on specific criteria used to determine the final amount a company will be penalized, such as nature of breach, cooperation, and data type. Penalties are broken down into lower-level and upper-level, fines can range from 2-4% of prior year global revenues or up to 20M euros, whichever is higher. These penalties not only pose a significant risk to companies but can cause severe adverse impact to organizations if taken lightly.
Another GDPR requirement that will significantly impact companies’ risk management programs is the 72-hour window to report data breaches by the data controller. If a cyber breach occurs by external entities a company would have a very small window to implement a crisis communication plan to deal with the reputational impact of a cyber breach. Risk management professionals must work to ensure effective, transparent communication strategies are on stand-by in the case of a cyber breach which are becoming more prevalent by the day. Issues such as these go beyond the realm of GDPR just being an IT compliance issue but one that impacts the entire organization, demanding the attention of enterprise risk management practitioners.
Risk Management Steps to Prepare for GDPR
- Know the Rules
Start by reading the EU GDPR: A Pocket Guide, which condenses the 261 pages of legal jargon into an easy to understand guide that will help get you on the right path to compliance. Due to the short compliance window, this guide can be a life saver to cover all the compliance bases in a short period of time.
- Scan your Internal Environment
Perform research and document findings assessing internal processes related to data protection. Any and all data needs to be thoroughly audited avoiding gaps in compliance coverage that can result in missed opportunities to protect consumer data. As business processes evolve, internal data environments should be scanned on a regular basis to ensure constant compliance. Stiff penalties should be a good motivator for updating leadership’s risk tolerance when it comes to data security.
- Identify Regulated Data
Collected data should be audited to identify areas where internal processes require revisions or creation. Data with no required compliance can utilize existing processes as the risk of penalty does not exist. However, data that is now required to follow the regulations will need to be placed aside for further evaluation.
- Assess and Prioritize Critical Data and Processes
Critical data housed that is required to run the business should be evaluated first. A risk assessment of all private data should be completed, reviewing policies and procedures to ensure adherence to GDPR requirements. Critical data resources should have priority, then back-ups and other data repositories can be addressed later on. Security measures will need to be updated for all critical data processes, this will result in a more robust IT risk management environment within the organization.
- Monitor Data Protection Performance
Data security measures updated to comply with GDPR should be monitored on an on-going basis. This practice is crucial to ensure there is little to no exposure to compliance risks that could result in severe financial penalties. An added benefit to continuous monitoring of data protection performance is increased risk assurance within and outside the organization. Consumers are more willing to do business with a company that takes pride in ensuring customer’s data rights are being protected during the course of business.
Risk management professionals must be ready to bring their business up to speed in terms of how it protects the data of consumers. Regardless of the organization, leadership will want to make sure consumer data is being protected up to the new standards to avoid the stiff penalties of non-compliance. This is not a task that simply relates to IT, the adverse impacts of non-compliance span far greater, impacting every level of the organization. However, with the steps outlined above, any company can make sure they have no data protection worries come May 25th.