Bearing in mind its significant impact upon major or complex organizations, the GDPR actually requires you to look at the processing of personal data from all angles.

Probably the best starting point in any GDPR compliance project is making a detailed analysis of the risks an organization may incur in case of non-compliance. This way, you obtain a pretty detailed overview of the actions to be taken moving forward.

Each risk has two components: the first one is the impact the risk has upon an organization when it occurs. This is the approach the GDPR requires you to take when dealing with sensitive data. Notwithstanding the fact that the GDPR imposes administrative fines (and the Directive provides for the option to even impose criminal sanctions) upon companies and organisations that are not compliant with the GDPR, we will also look at the cost of becoming compliant and taking corrective measures (time, money and effort), as well as negative press, etc.

However, the second component – the probability of a risk occurring – is often overseen, notwithstanding the fact that it is an as important aspect that will steer your path towards compliance. In other words, there is no need to put a major focus on a risk that is extremely unlikely to occur.

cybercrime and databreach

Fines

Companies who are not compliant with the GDPR can incur administrative fines of up to 4% of their global annual turnover or 20 million euros. In order to determine the actual level of this fine, various criteria are being put forward, including the nature of the infringement, whether or not preventative measures have been put in place, and the actions undertaken to mitigate any damages incurred by data subjects.

In addition, EU Member States have the possibility to levy criminal penalties upon companies and organizations who are not acting in accordance with the new privacy framework.

In brief, it is key to have a clear plan in place whereby you can demonstrate to national or the European data protection authorities that (ongoing) steps are undertaken in order to demonstrate compliance with the GDPR. Our tools give you a good impression of the ins and outs of the impact and likelihood of privacy risks incurred, and provide for clear guidance on which actions to undertake moving forward.

fines gdpr

Privacy impact assessment

The GPDR requires you to carry out a privacy impact assessment in certain circumstances, without being too specific on how this needs to be done.

Our approach is by nature risk-based, simply because most companies and organizations consider GDPR compliance a burden rather than an opportunity. The methodologies we are using are distilled from standard Enterprise Risk Management (“ERM”) methodologies, which entail the following steps:

  1. Define the organization’s “risk appetite”: what are the levels of financial, people, reputational and environmental risks the organization is willing to take;
  2. Identify the risks to be assessed by the organization. In this specific case, the risks are mainly privacy / data protection related, but will also touch upon issues like physical and cyber-security, exchange of information, etc. We have identified close to 100 risks that are being reviewed and assessed by clients, this in order to bring an as broad as possible perspective on the issue;
  3. Assess the initial risks incurred, bearing in mind the company’s risk appetite defined in 1) above;
  4. Review the measures already undertaken by the company in terms of policies, processes, agreements, etc. to mitigate possible privacy risks, which will highlight the so-called “residual risks” the company is potentially dealing with;
  5. Defining a clear plan in order to mitigate the residual risks, including drawing up a RACI matrix that defines who is Responsible for carrying out a task, who is Accountable for the completion of the task, who needs to be Consulted and who should be Informed of the outcome of the task.

Generally speaking, this process takes between two to three weeks to complete.

Cybercrime and data breach

Cybercrime is one of the paramount risks to be considered when drawing up an action plan towards GDPR compliance.

Together with external or internal technology and security experts, we are assessing your security plans, carry out reviews with key suppliers and – where needed – customers, and provide you with general and GDPR-specific insights and recommendations on how to go one or even a few steps further in securing your physical, technical and operational environments.

Of course, the data breach risk will always remain: individuals working for the organization, applications used within the company, the technical infrastructure, up to single components thereof (remember Spectre and Meltdown) are prone to cyber attacks. Bearing in mind the fact that many organisations are not good in crisis communication, it is key to have a clear communications plan in place whenever such a risk occurs.

Our tools help you in your operational readiness …

dataleaks cybercrime and data breach

Our solutions


GDPR risk assessment

Using our proprietary tools and methodologies, we can generally provide for a detailed risk assessment, suggested corrective actions, and a RACI matrix on who, how and when the recommended steps need to be taken. See a sample report here.

Consultancy

Contact us for a complimentary intake discussion. Generally speaking, we only do fixed fee projects, not billing by the hour.

GDPR compliance memorandum

Documenting the steps undertaken towards GDPR compliance is an important aspect whenever you are subject to an investigation from official authorities, and mitigate the likelihood of fines being imposed upon the organization. Our GDPR compliance memorandum provides for the necessary structure and insights in order to inform non-insiders of how your organization is structured, who is doing what, and which actions have been undertaken in the path towards GDPR compliance.

Steven MotmansGDPR Risks