Risk managers must lead data protection effortsReprints
The European Union’s General Data Protection Regulation, the bloc’s comprehensive data protection rule, has been on the radar of risk managers for some time, and several associations have been urging their members to take an enterprise risk management approach to the requirements of the upcoming rules.
The Federation of European Risk Management Associations and the European Confederation of Institutes of Internal Auditing jointly published a report in July that urges companies to create dedicated internal cyber risk governance groups, chaired by the risk manager, to operate across all functions in the company to determine the potential costs of cyber risk and propose mitigation measures.
“As recent attacks show, cyber risk is an enterprise issue that affects strategic aspects of the board’s mandate including valuation, reputation and trust,” said Jo Willaert, Antwerp, Belgium-based president of the FERMA board, in a statement. “The management of cyber risk has, therefore, become a corporate issue that should be reflected in the governance of the company,” he added.
London-based Airmic Ltd., the U.K. risk managers association, and London-based law firm Berrymans Lace Mawer L.L.P., meanwhile, published a report in January that said compliance with the GDPR is not simply an IT issue but is an organizationwide risk that risk managers must address and control.
“Risk managers and the staff in their businesses need, in my view, to start thinking about data protection law and using it in the same way they think about the Highway Code (the U.K.’s rules for road and vehicle safety): It is something to be learned and internalized rather than the subject matter of a voluntary biannual lecture,” said Nick Gibbons, a partner at the law firm.
The GDPR also will introduce a requirement for some companies to have a designated data protection officer.
If companies’ core activities require regular and systematic monitoring of data subjects on a large scale, or where a company’s core activities involve largescale processing of special categories of personal data, or where the data processing of a company is carried out by a public authority, companies will be required to appoint a data protection officer, according to the GDPR.
According to an estimate by the Portsmouth, New Hampshire-based International Association of Privacy Professionals, at least 28,000 data protection officers will be needed in Europe alone.