• GDPR: A response to risks or a new risks generator?
Article:

GDPR: A response to risks or a new risks generator?

17 April 2018

Original content provided by BDO Serbia

As 25 May, the deadline for harmonizing organizations with the provisions of the GDPR is approaching rapidly, we have witnessed the increasing actualization of complex topics on the personal data protection. The requests of the international companies' headquarters regarding the harmonization of the operations of their offices in the territory of the Republic of Serbia with the aforementioned provisions, the requests of the EU clients working with Serbian companies, as well as the expectation of adopting the new Law on Personal Data Protection, result in this area being a "focus point" in the domestic public, too.Personal data protection, as a specific and sensitive issue, is certainly a source of risk for each organization. The development of new technologies and channels of telecommunications causes our personal data to move freely and faster through the global digital network, proportionally increasing the risks associated with their management. The results of the research conducted by BDO throughout the world, involving representatives of the 500 leading global organizations, also indicate an increase in the awareness of the exposure to risks associated with personal data management. Investments in establishing an adequate personal data management system increased by 78% compared to the previous year. The results also show an increase in the involvement of boards of directors in personal data management activities, as much as 79% in comparison to the previous year. Taking into account the data mentioned above and the opinion of the representatives of the surveyed organizations that the key risks that organizations will encounter within the next 10 years are regulatory, cyber and reputational risk, it is clear that these risks will undoubtedly influence the management of personal data within organizations.In conversations with clients and colleagues in the BDO network, we have concluded that some of the key challenges that organizations face when applying the GDPR are: extending the definition of what personal information is (e.g., IP addresses are included), enabling the right to „forget" (deletion of data), the requirement to collect the minimum number of personal data, defining the correct forms of consent for the collection and processing of data, the process of reporting incidents to the competent authorities within 72 hours, the appointment of the "DPO“ (Data Protection Officer) and the activities of the „Data Privacy Impact Assessment“ (DPIA). We can say that the GDPR has a tendency to reduce many risks, but the wide range of demands it brings, introduces new risks to business operations.Starting from the regulatory risk, the GDPR provides a unique precedent when it comes to penal provisions. If inadequate information management is determined in an organization, a fine can amount to the higher of EUR 20 million or 4% of the total income of the organization. Bearing in mind the fact that at a global level, the average share of profit in the total revenues of the world’s largest retail chains accounts for about 3%, a clear picture of the consequences of inadequate management of personal data can be obtained. Cyber risks will also have a major impact on the management of personal data and business operations. Had the „data breach“ that hit the British telecommunication services provider „TalkTalk“ in October 2015 occurred after the adoption of the GDPR, instead of a fine of 400 thousand pounds then paid, the company would have had to pay as much as 17 million pounds.Reputational risk is also present - investors may lose confidence in an organization that inadequately manages personal data. The most current example is the largest social network, Facebook, a giant who, in a matter of days from the date of the publication of the alleged illicit trade in personal data, suffered a decline in market value of close to USD 100 billion. In order to protect their investment, investors will assess the degree of adequacy of personal data management within organizations in which they want to invest when making an investment decision.Managing personal data brings significant risks that can endanger business continuity. In identifying and assessing the risks or choosing the mitigation strategy, organizations should pay special attention to cooperation with third parties - providers of telecommunication services, server providers, etc. To ensure that personal information and its transfer are secure, the organization must establish an adequate system of estimating potential providers of the services mentioned. That organizations face serious challenges is also indicated by the results of the BDO USA research that show that 52% of organizations have established a risk management system that can provide adequate management of personal data within the organizations themselves, but that only 40% of organizations have established a risk management system that creates interaction with third parties.Finally, any risk that is adequately treated can become a developmental opportunity for an organization. Regardless of the regulations, penal provisions and all other threats in the relevant area, each organization can benefit from investing in the professional management of a risk management system. By engaging professionals who possess knowledge, experience and a methodology proven in practice that ensures high level of adequacy of personal data management and related risks, organizations will, in addition to complying with regulatory requirements, distinguish themselves as responsible organizations, reliable partners able to tackle challenges, as well as a safe choice for cooperation and potential investments. Igor RadmanovićPartner in the Audit and Risk Management Department Nikola Marković,Risk Management Advisor Published: Biz Life Magazin , issue 57, April, 2018