It can be lonely sitting out on Risk Management Island. I have some good news for you - your closest friend, Compliance, has dropped a break in your lap – GDPR. I know it isn’t easy to see it but GDPR can be a rallying cry to improve your risk management, security and compliance world. Although the deadline was over a month ago, companies continue to adjust their processes in response to the regulation.
GDPR and the Risk Management Process
There are certainly many dimensions to GDPR – from the technology implications to the business operations changes needed. One area I would like to highlight is the risk assessment angle of the GDPR. This is an emerging topic in the regulatory compliance world. No longer are regulators saying you must do A, B and C. They are requiring a risk based approach – meaning, your company has to determine the risks and design and operate controls that effectively manage that risk. We see this not only in GDPR but other regulations, PSD2 for instance, and it is a trend that will continue.
Organizations need to bulk up their risk assessment processes – how are risks identified and assessed, how are decisions made to address those risks, then how are the risks treated and monitored. This must be a demonstrable process that can be inspected. Those steps and the decisions made during the process should be documented to show how the organization arrived at its conclusions.
GDPR changes things from a ME thing to a WE thing. Rally the troops. Your friend Compliance will appreciate it.