News & Views / Does GDPR need to be centre stage in operational risk management?
30 May 2018

Does GDPR need to be centre stage in operational risk management?

On May 25th 2018, a new data protection regulation came into place to better protect an individual's personal data. In this blog, Chris Rollason explores the impact of the GDPR on risk practices.

The General Data Protection Regulation (GDPR) updates current EU data privacy rules, which were originally implemented in 1995 before the digital-revolution truly took hold. Whilst the GDPR key focus is on data processing, the latest regulation recognises that innovations like cloud technology have not only changed the way that data is stored, transferred and used, but have heightened information security risks as data has increasingly become a valuable commodity.

Key emphasis placed on companies to have assurances ahead of data interaction
The new regulation promises to have repercussions for companies around the world. Any company that holds, processes or interacts with personal data on any EU citizen is bound by the rules, even if it has no physical presence in any of the 28 EU member states. The GDPR also expands the scope of existing European data protection laws by broadening the range of companies considered responsible.

The former EU Data Protection Directive applied only to data controllers—those who collect and own the data, such as companies retaining customer information, including addresses and credit card details. Now, the GDPR holds data processors, such as third-party vendors, jointly liable too.

In practical terms, this means that companies need to have assurances that their suppliers and contractors also have measures in place to comply with the GDPR and know if they personally interact with data on any EU citizen, including expats.

Compliance has its challenges at all levels of the organisation
Organizations must also classify personal information in terms of risk, comply with data retention periods, and establish a procedure to erase data when the retention period is over.

Achieving broad compliance with the regulation has so far proven to be a challenge, however. Surveys by IT vendors, law firms and professional services firms routinely find that, at best, only half of their respondents are even aware of the new rules. Usually, executives admit a lack of knowledge and most organisations say they are under-prepared.

Failure to comply may carry a heavy burden of cost and reputation
Elizabeth Denham, the UK's information commissioner, who oversees data protection enforcement, says she is frustrated by the amount of "scaremongering" around the potential impact for businesses. "The GDPR is a step change for data protection," she says. "It's still an evolution, not a revolution". She adds that for businesses and organisations already complying with existing data protection laws the new regulation is only a "step change".

One of the biggest, and most talked about, elements of the GDPR is the power for regulators to fine businesses that don't comply with it. In the UK, these monetary penalties will be decided upon by Denham's office and the GDPR states smaller offences could result in fines of up to €10 million or two percent of a firm's global turnover (whichever is greater).

Those with more serious consequences can have fines of up to €20 million or four percent of a firm's global turnover (whichever is greater) Denham says there is "no intention" for overhauling how her office hands out fines and regulates data protection across the UK. She adds that the ICO prefers to work with organisations to improve their practices and sometimes a "stern letter" can be enough for this to happen.

In recognition of the fact that the onset of the GDPR is about “evolution and not revolution” and coupled with the fact that compliance can be far-reaching and extensive, Denham’s comments above seem sensible. However, operational risk planning and scenario modelling are about catering for likely future GDPR implications, and consequently is more about effective operational control. This would mean ensuring that an organisation doesn’t process an individual’s data in an incorrect way.

Operational risk implications are both present and future

Organisations will be expected to consider not only the present implications of the GDPR but also the regulatory rhetoric which may make future penalties harsher over time. This would make sense in an active environment within an organisation where step changes in the GDPR evolution process of control have not been accomplished to the satisfaction of the regulator.

With regards to the implications of capital requirements, going one step further in the assessment of effective controls and likely financial impacts should be something to consider in the event that your GDPR evolution is over a longer journey (and spanning several ICAAPs). Obviously, this would therefore put more “at risk” over a longer transitional period. It also largely depends on whether Denham in her “carrot and not stick” approach allows more smaller steps over a longer time period to be made catering for the smaller institutions who have proportionately more to achieve, but who are limited with regards resourcing and costs.

Overall it is not clear at this stage exactly how the ICO will conduct the initial investigation and appraisal of banks compliance on the GDPR. A closer look at the unknowns would seem to suggest that inclusion within operational risk scenarios would make sense, especially as the actual rules of engagement regarding compliance and dispensation is currently under so much debate. Similarly, an organisation will have a lot to lose in the event that they get it wrong.