Posted: March 20th, 2017 3:03pm +00:00

General Data Protection Regulation (GDPR) – what it could mean for the Risk Management professional

Organisations such as Sony, Yahoo and Sports Direct can attest to the reputational damage that results due to data security failures. The knock on effect of these failures is even greater for the private citizen whose personal information is now  potentially available for fraudulent use. The GDPR is rightly aimed at reducing the likelihood of such events.


There have been many articles written on the subject of data protection over the last few years as the EU moved inexorably towards completing the regulatory framework. Organisations that will be impacted by this regulation, by virtue of their use of personal data, now have until May 2018 to put their houses in order.


The GDPR recommends taking a “risk-based” approach to data protection which capitalises upon many of the best practices that are already in existence concerning data security. It also aligns this essential regulatory framework to existing risk management strategies. The regulation does this by encouraging organisations to put in place measures that correspond with the level of data processing that they undertake. High risk, medium risk and low risk classifications are used based upon the likelihood and severity of the impact of an event.


Failure to comply with the GDPR can result in significant penalties, 4% of annual turnover or £20M whichever is higher. The fact that the UK will not be in the EU in the next 2 – 5 years doesn’t mean that UK business don’t need to comply. If your organisation holds, processes or has access to EU citizen data then compliance is required.


So how does this affect the risk professional?


No one generally denies that risk management is a good idea but when it comes down to it, some stakeholders are reluctant to participate. Similarly, management, although appreciative of the benefits of robust risk management often relegate it further down the corporate agenda than perhaps they ought.


The GDPR provides the modern risk practitioner with a vehicle to leverage the need for greater enterprise risk management. To move it from a perceived “nice to have”, to something far more tangible and strategic. In addition, the skillset mastered by the Risk Manager is also ideally suited to the collaborative working that will need to be in place if compliance with the GDPR is to be achieved. So this is an opportunity! Drive forward risk management, get the business to re-engage and demonstrate the value to be accrued from taking it seriously.

News you might like
Has your organisation considered the risks of AI?

While AI offers numerous benefits for businesses, it also comes with potential risks that need careful consideration. Here are some…

Read more
What strategies are being employed by the higher education sector to respond to emerging risks?

Emerging threats pose unique challenges for higher education institutions, but some promising strategies are being implemented to navigate them: Climate…

Read more
Emerging risks for higher education

Higher education institutions are facing a complex landscape of risks, some of which are longstanding challenges, while others are emerging…

Read more

JCAD will subscribe you to our newsletter . Please see our updated privacy policy for more information regarding the use of your data. You can unsubscribe whenever you like through the preferences option on the newsletter.