6 Key Operational Risks for Firms Implementing GDPR

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

The deadline for implementation of the General Data Protection Regulation (GDPR) – 25 May – is fast approaching.

While much of the focus may be on achieving basic compliance at the moment, over the medium-term operational risk executives should be aware that this piece of EU rulemaking could have a significant impact on the risks their firm is exposed to.

The following are six key operational risks teams should look at more closely, in relation to GDPR:

Compliance risk

Front and centre is the size of the fines that could be imposed for failure to comply with GDPR – the penalties can be as high as €20 million, or 4% of a company’s annual global turnover. These are hardwired into the regulation itself.

The UK’s Financial Conduct Authority (FCA) has said it plans to review of firms’ use of data during the 2018/2019 year in its annual business plan. Operational risk teams need to be sure that the correct policies and processes are in place, as well as adequate training.

Reputational risk

Under GDPR, individuals have a range of new rights, including the right to be informed about the data a firm holds, the right of erasure, the right to data portability, and the right to not be subject to automated decision-making, including profiling.

Given the sensitive nature of much of the data processing financial services firms do on individuals, it’s likely that early on some firms will be tested for GDPR-compliant personal data handling by consumer groups and others. Operational risk teams should flag the risks to the firm’s reputation if it fails to perform GDPR personal data requests correctly, and seek to put in place communication and remediation strategies in case such a challenge arises.

Cyber risk

Firms should already have in place the right procedures to detect and investigate a personal data breach, but operational risk teams may wish to review these in light of GDPR.

Operational risk teams should also make sure the firm has the right procedures in place to notify the authorities in their jurisdiction of data breaches when required to do so under GDPR. It is important that GDPR is woven into the appropriate parts of a firm’s business continuity and disaster recovery plans.

Human resources risk

Personal data doesn’t just exist in customer databases – it is held within the Human Resources function as well. Op risk teams should make sure that all of the GDPR requirements are implemented within the Human Resources’ handling of employee and applicant data.

It’s important to identify potential risks that could result from data handling in this area – for example, the right of an employee who has been dismissed to see the data the company holds on them – and to create processes for handling those risks.

Legal risk

Firms that operate in a number of non-EU jurisdictions should seek to understand if local regulations could potentially conflict with any of GDPR’s requirements.

There are also potentially places within the EU regulatory framework where GDPR may be tricky – for example, when it comes to know-your-customer programmes under anti-money laundering (AML) and anti-terrorist financing regulations. Op risk should work with compliance teams to examine any regulatory frameworks that require firms to obtain, process and hold personal data in a certain way.

New product risk

GDPR now makes it a legal requirement for firms to adopt a privacy by design approach in new product development. Firms must carry out a Data Protection Impact Assessment (DPIA) as part of new product development programmes in many circumstances.

Operational risk teams need to ensure processes are baked in to new product development processes and that the risks are being managed. Guidance produced by the UK Information Commissioners’ Office can help op risk teams identify how DPIAs should be linked to risk management.

It may make sense for firms to tag GDPR-related risks and loss events in their risk management software, so that they can track and manage these risks more effectively – as well as report on them to senior management and the board. Understanding these risks may also help inform discussions with regulators.

Related Posts

Embedding and Entrenching Operational Risk Management
One of the most difficult things that a Chief Risk Officer (and the Head of Operational Risk Management) has to do is embed and entrench operational risk management. By contrast, implementing operational risk management is straightforward although a task that can take several years. It is also easy for a regulator to spot a firm …

Embedding and Entrenching Operational Risk Management Read More »

The Shortcuts Trap – Rethinking Reporting
How speed can be the enemy of usefulness when it comes to reporting This is the last in a series of four blogs about the ways in which common shortcuts can undermine core operational risk elements within financial services firms…..more to come You can view the other blogs here:The Shortcuts Trap – Loss Events ReconsideredThe …

The Shortcuts Trap – Rethinking Reporting Read More »

Loss data – Driving business value from operational risk data
In most financial services organizations, operational risk data is underused. Vast amounts of operational risk data – including operational risk loss event data – is often collected but are not transformed into meaningful reports for key stakeholders. As a result, the business, senior management, and the board can often question just how much real business …

Loss data – Driving business value from operational risk data Read More »

Client Area Access

Sign in with

Your company email address is required to register.

  • Name

  • Contact Info

Sign in with

Please enter your username or email address.
You will receive a link to create a new password via email.

You must be logged in to edit your profile.