Rallying the Troops for GDPR

It can be lonely out on Risk Management Island, but there’s good news – your closest friend, Compliance, has dropped a break in your lap – GDPR.  It isn’t easy to see, but GDPR can be a rallying cry to improve your risk management, security and compliance world.  Although the implementation deadline was over a month ago, companies continue to adjust their processes in response to the regulation.

GDPR and the Risk Management Process
There are certainly many dimensions to GDPR – from the technology implications to the business operations changes needed.  One area I would like to highlight is the risk assessment angle of the GDPR.  This is an emerging topic in the regulatory compliance world.  No longer are regulators saying you must do A, B and C.  They now require a risk based approach – meaning, your company has to determine the risks, then design and operate controls that effectively manage that risk.  We see this in other regulations, PSD2 for instance, and it is a trend that will continue.

Organizations need to bulk up their risk assessment processes – how are risks identified and assessed, how are decisions made to address those risks, then how are the risks treated and monitored.   This must be a demonstrable process that can be inspected.   Those steps, and the decisions made during the process, must be documented to show how the organization arrived at its conclusions.

GDPR changes things from “ME” (Read more...)

*** This is a Security Bloggers Network syndicated blog from RSA Blog authored by Steve Schlarman. Read the original post at: