The GDPR has been in force now for a year now. The Regulation has changed the privacy paradigm and with it the risk landscape for many organisations not only in Europe but across the world too. The consequences of non-compliance with GDPR can attract large regulatory penalties as well as media and consumer attention like never before. Add to that the risk of class action type consumer remedy so common in the US, the risks, both in terms of regulatory enforcement, financial and reputational damage has substantially increased.
Businesses are now faced with not only understanding the personal data they are processing, sharing, retaining but also the complex set of existing but in some cases enhanced and new user rights they must comply with. Not only that, the extra-territorial nature of the GDPR means businesses not only have to worry about protecting data in the EU but in some cases anywhere in the world where they process data.
Computing and ways of collecting, capturing and processing data have enormously changed since the last data protection regime, the Data Protection Directive in 1998. The complexity and sophistication in data processing add to the risk. Many organisations do not understand their collection and use of the data. Whilst this was a risk that many organisations accepted and dare say took a risk-based approach based on the comparatively low maximum fine under the previous regime. With the arrival of the GDPR and its €20 million or 4% global turnover max fine, the previous approach has become a high-risk strategy. Add to this the general awareness of their rights to seek a remedy in courts, the added risk of consumer action is also a threat to non-compliant organisations.
All this, of course, requires substantial board level commitment investments for organisations small and large. Initially in terms of projects and programmes, which can be disruptive to existing operations. For example, plowing through years of operational and archived data, contracts, drafting data sharing agreements, supplier due diligence and of course ensuring security is watertight. Having to identify and account for every piece of personal data processed and the reason for processing etc is not only time consuming but requires changes to operational processes, technology and personnel.
GDPR does not just limit to the legal aspects and individual rights but also the protection of their data from unauthorised disclosure, damage, modification and of course loss. This is an information security risk. The Regulation in itself talks about the need to assess the risk to the data subject throughout from collecting the data to deleting it when no longer required. Whilst the Regulation’s objective is to protect the individual, organisations have to manage corporate risks that manifest from this processing of personal data.
GPDR means organisations now must not only account for their personal data but ensure they take appropriate technical and organisational measures to protect all personal data. This essentially means understanding risk to the security of personal data and managing those risks using the most appropriate controls. Failure to do so can be very costly. As seen recently, most headline-grabbing breaches have been due to security failures. Whilst most of the larger personal data breaches have been under the previous data protection regime, attracting relatively low fines, the reputational damage has been huge. Recent personal data use for political manipulation by one company has resulted in its demise.
The data is not only limited to the customer or consumer data. Organisations have employees and their data to must be protected. The GDPR adds another complication and therefore a risk to employers. They must choose the correct legal basis for processing employee personal data. Many organisations have relied on consent for processing employee personal data. However, due to the stricter rule on consent and the right to withdraw consent, there is now a risk that those relying on consent may be on risky grounds, especially as consent must be given freely. Because of the deemed imbalance in employer versus employee relationship, what may be taken as freely given consent can be challenged.
Whether you are a Data Controller or a Data Processor, you have to manage the risks. First of all, the risks to the individual whose data you are processing and by extension risk to your organisation from the aforementioned non-compliance and personal data breaches resulting from information security risks. The risks for Processors have changed too. The GDPR, unlike the Data Protection Directive, makes Processors directly liable for non-compliance and are accountable for non-compliance. Data Controllers are responsible for ensuring their supply chain is secure and trustworthy and are acting under their strict written instructions from them. Supply chain or third-party risk is somewhat mature in information security however not so well understood by the privacy community.
In conclusion, GDPR is not only about managing regulatory risks but also information, reputational, financial and operational risks for organisations resulting from organisations processing personal data. In essence, GDPR is all about managing risks. The risk to the individual’s privacy and rights and risk to the organisations from the failure to protect an individual’s privacy and rights. The enormity of potential fines and the likely resultant damage makes GDPR risks enterprise risk that must be addressed and managed at the executive level.