GDPR now ‘business as normal’ for risk managers

Almost 18 months after implementation, the EU’s new data protection rules are being viewed as a risk just like any other, according to a report and webinar from Ferma. The implementation of the General Data Protection Regulation (GDPR) in May 2018 caused much concern and uncertainty for companies processing personal data of EU citizens. The rules, which introduced tough data protection requirements on companies and new privacy rights for consumers, have already resulted in some hefty fines for businesses following data breaches. However, after much effort by companies and a seemingly pragmatic approach to enforcement by regulators, the risk has now become “business as usual”, according to participants in the webinar hosted jointly by Ferma and the European Confederation of Institutes of Internal Auditing (ECIIA). The event saw participants discuss a report on GDPR and corporate governance released by the two bodies in October. The report showed that the GDPR has become embedded in the work of risk managers and auditors, although not all companies have formalised lines of communication between the relevant parties. Some 86% of the 346 risk managers and auditors surveyed said they are in communication with the organisation’s Data Protection Officer (DPO), but just under a third (31%) said this contact is “formalised” while 48% are in communication on request. Interestingly, more than three quarters (76%) of companies perform some form of GDPR risk assessment, although of those that do, only 30% quantify GDPR risk and propose mitigation measures. Some 44% of those that assess GDPR risk do not quantify the impact. Surprisingly, organisations now view the new regulations largely as a compliance risk. In an online poll, 68% of the 157 webinar participants said the GDPR represented a compliance risk for their company – 43% of the survey respondents said GDPR compliance was a high risk. However, 47% of the survey respondents said the GDPR represented a high reputational risk, while 31% and 41% respectively cited the GDPR as a strategic or operational risk. The Ferma/ECIIA report found that more than 70% of boards expressed an interest in receiving an independent assurance from internal audit regarding GDPR. However, the CRO is responsible for reporting privacy matters to the board only for one in ten organisations, compared with 43% for DPOs and 21% for senior managers. According to Lene Ritz, CRO at Danish energy firm Energinet, the initial uncertainty of GDPR implementation is now giving way to day-to-day risk management. “As a risk manager, [GDPR] is just another interesting thing to handle,” she said. According to Ms Ritz, new risks like the GDPR have a “lifecycle”. While there was a lot of uncertainty in the implementation phase, the situation has now “calmed down” following the “hard work” of establishing processes and education, said Ms Ritz. “There is still a way to go, but the uncertainty at the start [of the GDPR] has started to phase out,” said Ms Ritz. However, it is up to risk managers to remind the business periodically that these risks continue to be relevant, she added. GDPR compliance peaked with the design and implementation phase in 2019, and has now moved to the “ongoing monitoring” phase, according to Ralf Herdd, senior vice-president of corporate audit at German chemical manufacturer BASF. While the initial challenges of GDPR have eased, data protection and privacy risks will require constant evaluation, especially with the implementation of new technologies and business strategies that rely on data, according to Mr Herdd. “The main challenge is data protection on the one hand, and new technology on the other. You can do lots of stuff [with technology] but is it allowed? Dreams may be more than regulations allow,” he said. Data protection and privacy risk management and compliance need to be built into business operations. “This is not the end point, but the starting point,” said Mr Herdd. Uncertainty and complexity in GDPR implementation was seen as the biggest challenge by risk managers and auditors surveyed by Ferma. In particular, the interpretation and reaction of regulators by national regulators is challenging, although the experience of the past 18 months has shown regulators are being “pragmatic”, according to Mr Herdd. While it may be possible to quantify the maximum GDPR threat, the challenge is to calculate the “reality”, in particular when it is difficult to judge the reaction of the authorities, he said during the webinar. Ferma and the ECIIA will raise this issue when they meet with European Commission officials in December to present the recent report on GDPR risk management and governance. “It is important for regulators to understand that business must go on and we do not need new rules. Regulations are applied differently in some countries and that can make a lot of difficulty for companies. This is something [ECIIA and Ferma] will work on,” said Pascale Vandenbussche, ECIIA secretary general. It is hoped that the findings of the report will inform the European Commission’s review of the GDPR in May 2020. According to Typhaine Beaupérin, chief executive of Ferma, the two associations will make sure regulators are aware of companies' “willingness to be compliant” and the work going on to manage GDRP risks and compliance.

GDPR now ‘business as normal’ for risk managers

Want to read this article?

Read Next

New CEO of Davies’ multi-sector global consulting division

Climate change could spread malaria risk to new countries, warns International SOS

Europe records 300% surge in farmer protests this year

London market to remain closed for construction SPPI cover

Swedish risk managers told to focus on flexibility rather than resilience

New CEO of Davies’ multi-sector global consulting division

Climate change could spread malaria risk to new countries, warns International SOS

Europe records 300% surge in farmer protests this year

London market to remain closed for construction SPPI cover

Swedish risk managers told to focus on flexibility rather than resilience

Want to read this article?

Read Next

New CEO of Davies’ multi-sector global consulting division

Climate change could spread malaria risk to new countries, warns International SOS

Europe records 300% surge in farmer protests this year

London market to remain closed for construction SPPI cover

Swedish risk managers told to focus on flexibility rather than resilience

Related Articles