The General Data Protection Regulation (GDPR), which came into effect last week, will be a continuing process for risk managers, says the Federation of European Risk Management Associations (FERMA).
“There has been an enormous jump in awareness of the potential misuse of personal data this year, and it has thrown the spotlight on companies, and the way they manage the data they hold,” FERMA said in a release.
For risk managers, the first priority is to ensure continuing compliance with GDPR as part of the organisation’s management of digital risks, according to the association. Second is the duty to understand the associated reputation risks.
“This is a continuing exercise in the fast-changing digital world,” FERMA said. “In addition to some potentially very large fines, a company could be forced to alter its business model as the result of a breach of GDPR.”
FERMA president Jo Willaert highlighted the gravity of non-compliance, which could see firms handed down hefty fines.
“We do not yet know how member states will begin enforcement of GDPR, but the consequences of non-compliance are potentially very serious,” she said.
“GDPR goes to the heart of the way that many large companies operate today, and could affect opportunities they would like to gain from data. Data is one of the largest assets a company holds, so these are truly enterprise issues that affect strategic aspects of the board’s mandate, including valuation, reputation and trust. The management of digital risks is a corporate issue that should be reflected in the governance of the company.”
FERMA has called for organisations to create dedicated internal cyber governance groups, led by the risk manager, to address digital risks across the whole enterprise. The group would support the organisation in meeting its obligations under the GDPR and Network Information Security Directive, now transposed into member state laws, and in managing other cyber risks.
During discussions on GDPR, the association has urged an enterprise risk management (ERM) approach to digital risks and proposed that risk managers could serve in the new role as Data
Protection Officer (DPO) under the new legislation. It has also consistently argued that cybersecurity cannot be the sole responsibility of the IT department.
Philippe Cotelle, FERMA board member with responsibility for cyber, added: “GDPR has been a catalyst for increased awareness of data issues. Therefore, not only has the management of personal data improved but the way that we deal with data overall.”