GDPR real risk > GDPR potential risk

In all of the discussions about GDPR, many people seem to have become overly focused on the new financial penalties for non-compliance. It’s certainly a weighty amount – any organisation failing to achieve compliance with GDPR could face penalties of up to €20m or 4% of annual turnover, whichever is greater.

But how realistic is that, especially for mid-sized firms? I would say it is highly unlikely that any organisation will be hit with such a fine in the first few months at least of the GDPR era. But that’s not to say that there aren’t huge risks out there for non-compliance. What are the real risks of GDPR and how do organisations go about measuring them?

Increased SARs with GDPR

GDPR is replacing the old Data Protection Act (DPA), which was established in 1995 and was soon deemed to be unfit for protecting consumer data in the internet era. The GDPR will be a vast improvement on this, as it is undoubtedly a better way of helping to ensure that consumer information is safe and secure.

But GDPR is not only about safeguarding such personal data – it is also about being able to prove that it’s safe, and also the ability to deliver information to citizens should they ask for it. Any EU citizen can issue a Subject Access Request (SAR) to see what information any organisation holds on them. Under the DPA, organisations had 40 days to respond to a SAR – with GDPR this is now just 30 days.

But even more significantly there used to be a fee for citizens to make this request. That has now changed and making a SAR is now free of charge. This makes it much easier for citizens to be more proactive about monitoring the data held on them, and also means that organisations will be facing significantly more SARs than before.

GDPR and the emergence of a new cyber threat

Are businesses set up to manage an increase in SARs? Do that have a system and strategy in place to ensure they don’t become overwhelmed? A typical SAR requests a lot of information, from how data has been used, which third parties have had access to it, how long it has been stored any details of any data breach that has occurred.

Not only can this become extremely onerous, but there is also the emergence of a new cyber threat with GDPR. Because hackers are so much more organised, professional and targeted, it is easy to imagine how they could use GDPR to attack an organisation.

Using ransomware to breach consumer data and then demand money from organisations in exchange for not going public with the breach, or submitting enormous volumes of SARs could be both very effective and a great risk for organisations that are non-compliant with GDPR.

Losing the brand battle

But arguably the main ramification of GDPR non-compliance, is the impact that it could have on a brand. No organisation wants to be known in perpetuity as the firm that does not look after its customers’ data, particularly if that firm is in FS and the data they hold is financial in nature, as well as private.

The long-term damage to a brand could be vast, especially when one considers how quickly social media can spread a story in 2018. If a disgruntled consumer fails to get a response to a SAR, then they could complain on Twitter and Facebook and the company in question would be known all over the world for all the wrong reasons in a matter of reasons.

Whether an organisation could recover from such a PR disaster is debatable, and it is risks such as this, rather than regulator’s fines, that are the real risk of GDPR. But managing risk is very achievable, it just takes the right tools and a different approach.

By adopting an automated approach to risk management it ensures a continuous and on-going protection against a number of different threats, that could include risks around non-compliance with GDPR. Furthermore, digitised risk management means that risk modelling can be more accurate and effective, amplifying weak signals to predict when and where risk might emerge from and what the potential effect will be.

At OXIAL we have great experienced in managing risks, both around compliance and other areas. We also work with several strategic partners to offer a truly comprehensive GDPR solution, the OXIAL GDPR EXPRESS that will help assess the real risk that comes with GDPR – drop us a line if you’d like to learn more.

OXIAL’s New Generation GRC solutions are entirely built to address some of the greatest challenges impacting organisations that are faced with Risk Management, Internal Control and Compliance and Audit. OXIAL’s integrated GRC platform enables organisations to become more efficient and effective in mitigating risk by integrating and automating GRC processes on a global scale.

Featuring intuitive and powerful tools that make it possible to respond to fast-evolving risk environments, OXIAL makes it easy to synchronise corporate governance, enterprise risk management and corporate compliance activities and undertake real- time monitoring across all business and IT processes and company assets. OXIAL operates globally across multiple industries and meets the needs of over 40 customers who have chosen OXIAL to drive business performance and achieve success.