Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks

GDPR Risks

by Adam Brogden
in Blog

06-Sep-2019 13:01

Why bother with GDPR? It’s a load of effort and you don’t get anything for it. You are too busy keeping your company going to bother and you’ll never get caught anyway!

I am sure lots of people think like this but just consider these risk areas – these are real. Companies are receiving complaints every day and companies are getting fined for GDPR breaches every month. Take a look at the following key operational risks items and perhaps think again.

Compliance Risk

First and absolutely real risk is the size of the fines that could be imposed for failure to comply with GDPR – the penalties can be as high as €20 million, or 4% of a company’s annual global turnover. Companies need to be sure that the correct policies and processes are in place, as well as adequate training.

Reputational Risk

Under GDPR, individuals have a range of new rights, including the right to be informed about the data a firm holds, the right of erasure, the right to data portability, and the right to not be subject to automated decision-making, including profiling.

Given the sensitive nature of much of the data most companies do on individuals, you should seriously consider the impact on your reputation if you are reported for a data breach. Don’t forget that the list of companies that are subject to ICO action is published far and wide and your customers will definitely find out.

Cyber Risk

You should already have in place the right procedures to detect and investigate a personal data breach, but you may wish to review these in light of GDPR. You should also make sure you have the right procedures in place to notify the appropriate teams, managers, and regulatory authorities about data breaches when required to do so under GDPR. It is important that GDPR is built into the appropriate parts of your business continuity and disaster recovery plans.

Human Resources Risk

Personal data doesn’t just exist in customer databases – it is held within the Human Resources function as well. You should make sure that all of the GDPR requirements are implemented within the Human Resources’ handling of employee and applicant data.

It’s important to identify potential risks that could result from data handling in this area – for example, the right of an employee who has been dismissed to see the data the company holds on them – and to create processes for handling those risks.

Legal Risk

If you work inside and outside of the EU you should check to see if local regulations could potentially conflict with any of GDPR’s requirements.

There are also potentially places within the EU regulatory framework where GDPR may be tricky – for example, when it comes to know-your-customer programmes under anti-money laundering (AML) and anti-terrorist financing regulations. You need to examine any regulatory frameworks that require you to obtain, process and hold personal data in a certain way.

New Product Risk

GDPR now makes it a legal requirement for firms to adopt a privacy by design approach in new product development. Firms must carry out a Data Protection Impact Assessment (DPIA) as part of new product development programmes in many circumstances. You must ensure processes are baked into new product development processes and that the risks are being managed. We can help you identify how DPIAs should be linked to risk management and GDPR implementation.

These are pretty generic risks that apply to most companies – the key message is that you need to take GDPR seriously and embed GDPR principles into everything you do. GDPR should cease to be a separate thing – GDPR should be part of how you operate.

If you need any help understanding how this might apply to you please call anytime.

Good luck all.