Recent analysis by law firm DLA Piper has revealed that since the General Data Protection Regulation (GDPR) came into force on 25 May 2018, more than 160,000 data breach notifications have been made to authorities.
As of 28 January 2020, this equates to approximately 263 data breach notifications every single day – an astonishing amount, given the time and resource that has been spent preparing organisations across the world for GDPR. Firms have invested in risk management software, cybersecurity systems, GRC software and a whole range of other IT GRC tools, but what this volume of breaches indicates is the need for smart and accurate risk mapping.
Risk mapping is what allows an organisation to have a full understanding of its risk environment and know how different risks should be prioritised. As the risk from GDPR grows, risk mapping will be an essential way for any business to mitigate that risk and address it so that it causes the least damage and impact possible.
GDPR and risk management
GDPR was intended to improve the data privacy for consumers in the EU, replacing legislation that had been around since the very days of the internet and that was no longer fit for purpose in the era of mobile, cloud and big data.
In these terms, it has been very effective. But it has also brought the issues of data and data privacy far more into the open than they have ever been. It has also brought far more risk to organisations, in terms of achieving and maintaining compliance with GDPR.
Organisations have much more responsibility than they did previously, with a lengthy list of requirements as to how they should, and shouldn’t manage the data they hold. The risks involved for non-compliance include enormous fines, as outlined in the GDPR Data Breach Survey from DLA Piper.
The total cost of GDPR-related fines paid so far is €114m ($126m/£97m), with the largest fine paid so far paid by Google for €50m. There have been two larger fines issued in the UK, to British Airways and Marriott Hotels, although both organisations are yet to agree on the final payment amount. There is also the long-term risk to an organisation’s brand – would consumers really want their data held by a company that does not treat it with the security and privacy it should?
The need for risk mapping
This only makes it all the stranger that not all firms are yet GDPR-compliant – in September 2019, it was revealed that only one-third of businesses were fully compliant with GDPR. Part of being ready for GDPR involves an organisation understanding what risks might emerge, what the impact of those risks might be, how risk resource should be allocated and how those risks can be managed and mitigated.
This process is known as risk mapping and should be a part of any smart IT GRC software. In fact, risk mapping is one of the most important exercises that a business should undertake in 2020. Given the volume and severity of risks currently, which include of course GDPR but also other risks such as cybersecurity, employee fraud, political uncertainty and much more, understanding your risk environment and knowing where to prioritise is essential knowledge.
The standard and most simple way of building a risk map is to plot the frequency of a risk on a chart’s y-axis and the severity on the x-axis. The risks mapped to the right and the top of the chart are the risks that are a priority. Those that are to the left and the bottom are less pressing and can be managed and prioritised accordingly.
The Oxial sGRC solution and risk mapping
Oxial’ssGRC solution is an IT GRC tool that includes risk mapping as a matter of course. We work with an organisation to map out each risk and threat to their business, collaborating with our technology and business partners who all have a deep understanding of what risks are in the market.
By providing such thorough and extensive risk mapping, our customers can manage their risks more much effectively, providing more informed and fluid decision-making when it comes to addressing risk. This is especially relevant in the era of GDPR. The number of data breaches and fines revealed this month (January 2020) is just the tip of the iceberg. GDPR is an on-going requirement and there will be many more breaches and subsequent fines to come.
Risk mapping allows an organisation to address these risks much more effectively. If your organisation could benefit from risk mapping then why not get in touch with one of our risk mapping experts here?