GDPR- Does the risk concept fully justify the intention?
Med tillatelse fra vår kursleder Ayse Nordal har vi her gleden av gjengi hennes fagartikkel fra LinkedIn om GDPR og risiko. Ayse underviser i våre risikolederkurs hvor hun også ivaretar tema GDPR, med fokus på GDPRs krav til risikostyring. Les mer om Ayse og kurs i risikoledelse på denne siden.
Author: Ayse Nordal, 1 article– GDPR- DOES THE RISK CONCEPT FULLY JUSTIFY THE INTENTION?
Broadly used standards and frameworks in risk management area have gradually accomplished a common understanding of the «risk» concept.
COSO, Enterprise Risk Management framework (2017) defines risk as «The possibility that events will occur and affect the achievement of strategy and business objectives».
The framework underlines that organizations commonly focus on risks that may result in negative outcomes. However, events can also have positive outcomes which should be considered.
ISO 31000, Risk Management Standard (2018) builds on a similar understanding. Risk is the effect of uncertainty on objectives. In Note 1, the standard elaborates that the effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities as well as threats.
Today many organizations’ risk assessment activities include identification, analysis og evaluation of opportunities as well as risks. The intention is to utilize the opportunities to improve the performance of the enterprise and to take advantage of better resilience, agility and prosperity.
Many enterprises have adjusted their systems and tools to be able to visualize, rank and quantify the elements of both the negative and the positive deviations from the expected.
2. GDPR – Expected benefits and intentions
After several years of preparations, discussions and debate, the GDPR (the EU General Data Protection Regulation) was approved by the EU Parliament on 14 April 2016 and it was enforced on 25 May 2018. Now, the organizations in EEA (European Economic Area) focus on implementing technical and organisational measures, which can protect the personal data and ensure their processing in accordance with the principles of the GDPR. Risk management is expected to be instrumental for these efforts.
European Commission (2018) defines the benefits of GDPR as follows:
· One Union, one law: a single set of rules makes it simpler and cheaper for companies to do business in the EU.
· One-stop-shop: in most cases, companies only have to deal with one Data Protection Authority (DPA).
· European rules on European soil: companies based outside the EU must apply the same rules as European companies when offering their goods or services to individuals in the EU.
· Risk-based approach: the GDPR avoids a burdensome, one-size-fits-all obligation and instead tailors obligations to the respective risks.
· Rules fit for innovation: the GDPR is technology neutral.
The objectives of GDPR are defined in §1. These are:
· Protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
· Protection of fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
· The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
A risk based approach after the renowned standards should focus both on identifying risks, which may hinder and on identifying opportunities which may facilitate the achievement of these objectives.
3. Risk concept of GDPR
The GDPR-risk concept is used for instance in Article 25.1, 27. 2.a, 30.5, 32.1, 33.1 of the document. For example Article 25.1 (Data protection by design and by default) states the following: «Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymous (…)» .
According to this statement, risk is one of the elements contributing to decision making and it is directly og solely connected to rights and freedoms of natural persons.
In Article 35.1 (Data Protection Impact Assessment), the focus is on «high risks». The article states: «Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (…)»
The scope is mitigating high risks. The preventive activities which may focus on medium risks, as well as activities which may utilize the opportunities are not considered.
4. Would a broader risk concept and analysis give better motivation to organizations?
Laws and regulations focus on what is not legal and what is prohibited. Thus these statements are justifiable. Since many organizations were not fully GDPR compliant when the law was enforced it is realistic. However, it may be relevant to discuss whether a broader risk concept which takes into account medium risks and preventive actions as well as opportunities would motivate the practitioners better.
- COSO, Enterprise Risk Management, Integrating with Strategy and Performance, June 2017 p: 9
- ISO 31000:2018, Risk Management Guidelines, p: 1
- European Commission, The GDPR: New opportunities, new obligations, EU 2018, Luxembourg Publication Office of the European Union, p:3
- EU- GDPR https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL
Ayse Nordal, NFKR Academy
flere artikler og kommentarer finner du på LinkedIn profilen til Ayse