GDPR - risk managers must be at the heart of compliance

FERMA recommends an enterprise-wide approach to GDPR compliance with risk managers taking over the new role of Data Protection Officer. It says there has been an enormous jump in awareness of the potential misuse of personal data this year, which has thrown the spotlight on companies, and the way they manage the data they hold.

The first priority for the risk manager, it says, is to ensure continuing compliance with GDPR as part of the organisation's management of digital risks. It describes it as "a continuing exercise in the fast-changing digital world."

A second priority is to understand the associated reputation risks. In addition to some potentially very large fines, a company could be forced to alter its business model as the result of a breach of GDPR. 

FERMA has called for organisations to create dedicated internal cyber governance groups, led by the risk manager, to address digital risks across the whole enterprise. The group would support the organisation in meeting its obligations under the GDPR and Network Information Security Directive, now transposed into member state laws, and in managing other cyber-risks. 

"We do not yet know how member states will begin enforcement of GDPR, but the consequences of non-compliance are potentially very serious," said FERMA president Jo Willaert.

"GDPR goes to the heart of the way that many large companies operate today and could affect opportunities they would like to gain from data. Data is one of the largest assets a company holds, so these are truly enterprise issues that affect strategic aspects of the board's mandate, including valuation, reputation and trust. The management of digital risks is a corporate issue that should be reflected in the governance of the company."

Please let us have your experiences of GDPR now that it has come into force. We plan to carry regular updates in Airmic news. Contact mark.baylis@airmic.com