GDPR should now be part of the continuing risk management process

Published: Thursday, 31 May 2018 07:02

FERMA is calling for risk managers to take the lead in ensuring continued compliance with the European General Data Protection Regulation (GDPR). Organizations should create dedicated internal cyber governance groups, led by the risk manager to address digital risks across the whole enterprise, says FERMA. This group would support the organization in meeting its obligations under the GDPR and Network Information Security Directive, now transposed into member state laws, and in managing other cyber risks.  

During discussions on GDPR, FERMA urged an enterprise risk management approach to digital risks and proposed that risk managers could serve in the new role as Data Protection Officer (DPO) under the GDPR. FERMA has consistently argued that cyber security cannot be the sole responsibility of the IT department.

The President of FERMA Jo Willaert says, “We do not yet know how member states will begin enforcement of GDPR, but the consequences of non-compliance are potentially very serious. GDPR goes to the heart of the way that many large companies operate today, and could affect opportunities they would like to gain from data. Data is one of the largest assets a company holds, so these are truly enterprise issues that affect strategic aspects of the board’s mandate, including valuation, reputation and trust. The management of digital risks is a corporate issue that should be reflected in the governance of the company.”