GDPR is checking your company. What would risk management do?

Silver Bullet Risk - BLOG - ERM - Enterprise risk management

Twenty years ago not much was being said or thought about privacy, besides few who really understood the potential of the new medium called the internet. We were eager to give our email address and all other info, just to get access to new insights, or join online spaces where we found similar minds. We never thought we would become the product of massive industry of gathering data, only to sell it to the highest bidder.

Today, the world talks a lot about privacy. In fact, it’s one of the most talked about issue. And with all the industry and social issues followed by the lack and abuse of privacy, we started to dig deeper on what it meant to give our personal information away. Legislators moved, too. GDPR come into the light.

Silver Bullet Risk - BLOG - ERM - Enterprise risk management

On 25 May 2018, The EU General Data Protection Regulation (GDPR) came into effect. To comply with the new regulation, companies had to review their handling of customers and users data.

Managing your employees’ data is also a part of GDPR requirements. And to comply with new strict settings, there are some things to consider. Those who best understand the compliance with new regulative, are the risk managers. The ones who are risk aware and can analyze your company’s risk potential, threats and also opportunities.
Risk Management is responsible to recognize and implement processes, that can present threats in the company, otherwise there can be financial, operational or other consequences.

Through GDPR requirements, we identified a sample of personal data risks you should take into consideration.

1. When it comes to personal data in your organization, it’s not only the names and emails of your employees. There is a full plate of information about your employees, from their birthdays, to social security numbers, from address to financial information and other. Risk management is responsible to identify or recognize all personal data in the organization. With the increasingly higher volume of personal data and more delicate information, their responsibility even increases for the purpose to recognize and protect sensitive personal data.

2. Access to personal data is not something that can be available to every employee. Responsibility to recognize who can access it must be a high priority in protecting your employees privacy. However, to process personal data, one doesn’t need to have access to users private information, but only a limited set of data, without disclosing the identity of the owner of data. Risk management recognizes the need to organize this kind of access to personal data.

3. Imagine having heaps of data and information in your company, and all this data is in one file. Unsorted, scattered even, hard to make sense out of it. Again, it’s up to risk management to identify the threat of non-consolidated data and put forward best effort in the process to keep internal records in order.

4. Having an access to data does not mean you are able to handle it, work with it, make sense of it or give the process an added value. That’s why risk management recognizes that educating those who access data on the right ways of working with data, is one of the threats that can be mitigated. Sufficient and right training of personnel with data processing tasks is again responsibility of risk management to steer this process in the right way and avoid false handling of data.


***

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.