It can be lonely out on Risk Management Island, but there’s good news – your closest friend, Compliance, has dropped a break in your lap – GDPR. It isn’t easy to see, but GDPR can be a rallying cry to improve your risk management, security and compliance world. Although the implementation deadline was over a month ago, companies continue to adjust their processes in response to the regulation.
GDPR and the Risk Management Process
There are certainly many dimensions to GDPR – from the technology implications to the business operations changes needed. One area I would like to highlight is the risk assessment angle of the GDPR. This is an emerging topic in the regulatory compliance world. No longer are regulators saying you must do A, B and C. They now require a risk based approach – meaning, your company has to determine the risks, then design and operate controls that effectively manage that risk. We see this in other regulations, PSD2 for instance, and it is a trend that will continue.
Organizations need to bulk up their risk assessment processes – how are risks identified and assessed, how are decisions made to address those risks, then how are the risks treated and monitored. This must be a demonstrable process that can be inspected. Those steps, and the decisions made during the process, must be documented to show how the organization arrived at its conclusions.
GDPR changes things from “ME” to “WE”. Rally the troops. Your friend Compliance will appreciate it.
# # #
Learn more in our short video: Dawn of GDPR: What It Means for Organizations.