The webinar discussed the full results and recommendations of a joint project between FERMA and the European Confederation of Institutes of Internal Auditing (ECIIA), to assess how the EU General Data Protection Regulation (GDPR) impacted our professions, one year after its enforcement. This webinar helped to know:
- To which extent the risk manager and the internal auditor are involved in the GDPR corporate implementation
- How GDPR has affected the interactions between risk management, internal audit and Data Protection Officer (DPO)
- What are the best practices and recommendations to embed personal data protection in the risk and audit governance of your organisation
After one year of GDPR implementation, FERMA and ECIIA sent in May a common basis of five questions to their risk and internal audit members.
The objectives were to:
- Evaluate the roles of the risk management and internal audit functions regarding the GDPR and personal data related risks
- Provide a unique insight into the implementation of the GDPR by companies to the European policymakers
2. GDPR : where do we stand?
Framework :
• 27th April 2016 : Adoption
• 6th May 2018 : Application
• May 2020: Public evaluation report by
the Commission in May 2020 and transmitted
to the European parliament and to the Council
• 2020 : E-PRIVACY
• April 2019 : European Data
Protection Board report:
COOPERATION – CONSISTENCY –
STANDARDISED for Supervisory
Authorities
• July 2019 – European Commission
Communication taking stock of one year
application of the GDPR
• June 2019 - European Commission
report of the multi-stakeholder group
Total
206326
Complaint
s
94622
Data
breach
notificat
ions
64684
Other
47020
47%
52%
1%
Ongoing Closed Appealed
SAs from 11 EEA countries imposed a total of
€55.955,671 in fines
3. GDPR : where do we stand?
A joint project carried out between ECIIA and
FERMA, with the support of 5 IIA national
Institutes and 11 national risk management
associations.
Our ambitious objectives were to:
• Collect “best practices” and key challenges
related to GDPR from a large panel of
practitioners.
• Promote good governance and internal audit
and risk management alongside the GDPR.
• Provide facts and tangibles to be used as
an advocacy tool for the new GDPR
guidelines.Up to
19Questions in
total
346
respondents
25
Interviewees
5. GDPR : Polling question #1
Do you have a DPO internally or
as outsourced function ?
• Internally – new function
• Internally – existing function
• Outsourced
• Other
6. Do you have a DPO internally or as
outsourced function ?
6
Yes
82%
No
18%
DPO role was
assigned
internally to an
existing
function
53%
New
internal
function
…
Outsource
d
11%
1.Legal - Compliance :
54%
2.IT - IS : 15%
3.Risk Management : 11%
4.Operations - Finance :
10%
7. GDPR : Polling question #2
What is your level of
interaction with the DPO ?
• Formalised
• Not Formalised
• No contact
• Not applicable
8. What is your level of interaction with
the DPO ?
Formalised
(several
times a
year…)
31%
Not formalised
(on request)
55%
Not
applicable –
I’m the DPO…
No
contact…
Not sure 1%
86% in
contact
9. GDPR : Polling question #3
In your organisation, who is
in charge of reporting to the
Board about data privacy
matters including GDPR ?
• DPO
• Senior Management
• CRO
• CAE
• Other
10. Who is in charge of reporting to the
Board about data privacy matters
including GDPR?
CAE
7%
CRO
10%
DPO
43%
Senior
management
21%
Other
19%
11. GDPR : Polling question #4
Do you foresee that the GDPR
related engagements will
become recurring audits in
your audit plan ?
• Yes
• No
• I do not know
12. What elements of GDPR do you plan to (or
currently) audit?
56%
44% 42%
33%
GDPR Governance GDPR General
Design
GDPR
Implementation
GDPR
performance &
effectiveness
39%
60%
47%
2018 2019 2020
Audit plan trends
13. GDPR : Polling question #5
Which one of the following
type of risks does GDPR
represent for your
organisation?
• Strategic
• Operational
• Compliance
• Financial
• Reputational
14. How do you rate the various risks of
GDPR in your organisation ?
15. Did you perform an evaluation of the
threats arising from the GDPR
implementation?
Yes
76%
No
24%
Yes, they have
been financially
quantified and
with proposed
mitigation
measures
30%
Yes, as regards
frequency and severity
without financial
quantification
44%
No, not my
role, performed
by another
function,
please specify
which one
26%
Is Data Protection integrated
in your global risk mapping of
ERM?
16. What are the challenges of GDPR
implementation in your organisation ?
Top challenges mentioned by
respondents in the survey (%)
1. Uncertainty,
complexity
30%
2. Innovation/ R&D 25%
3. Workload, resources 17%
4. Relations – 3rd parties 14%
5. Relations – internal 14%
20. Main recommendations for IA and the
European Authorities
1. Recognize the key role played by corporate
governance in ensuring GDPR compliance as well as a
certain degree of accountability of organizations
about personal data protection.
2. Reduce the uncertainty of how local authorities
will deal with GDPR compliance (interpretation of
what constitutes “high” risks, amount, format and
frequency of the reporting…).
3. Formalize the relationship regarding privacy risks
between the DPO, Risk Management and Internal
Audit, relying on the three lines of defense model
as a starting point.
21. Main recommendations for RM and the
European Authorities
1. Embed data privacy in most of the existing risk maps.
2. Include the understanding of how privacy risks can affect all aspects of
the business into their risk assessment, in order to propose credible
and documented mitigation measures to the senior management of
the organisation
3. The next review of the GDPR by the European Commission in May
2020 should preserve the organisation’s ability to innovate.
23. Thank you and see you in 2020
Subscribe to our
newsletter to stay
informed
https://www.ferma.eu/conta
ct-us/
24. About FERMA
FERMA brings together 21 risk management associations in 20
European countries.
They represent nearly 5,000 professional risk
managers active in a wide range of business
sectors.
The Federation of European Risk Management
Associations (FERMA) speaks for the risk
management profession in Europe.
FERMA acts on its behalf at European level and
promotes the risk management profession.
FERMA provides a risk management perspective on
European issues and strengthens the profession
through a European risk management certification
(rimap).
25. About ECIIA
ECIIA gives voice to 47.000 Internal Auditors in 34 countries
from wider Europe.
The European Confederation of Institutes of Internal
Auditing (ECIIA) is the voice of internal audit in
Europe.
Our role is to enhance corporate governance
through the promotion of the professional
practice of internal auditing.
The ECIIA mission is to further the development of
good corporate governance and internal audit at the
European level, through
• Knowledge sharing
• Developing key relationships
• Impacting the regulatory environment, by dealing
with the European Union, its Parliament and the
European Authorities.
Notes de l'éditeur
TB
Quelle source pour les chiffres?
July 2019 – European Commission Communication taking stock of one year application of the GDPR: https://ec.europa.eu/info/sites/info/files/aid_development_cooperation_fundamental_rights/aid_and_development_by_topic/documents/communication_2019374_final.pdf
June 2019 - European Commission Report of the multi-stakeholder group:
http://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupMeeting&meetingId=15670
PVB
Présenter aussi la structure du doc: reco pour les autorités, praticiens du risk et audit puis détails des résultats des questions du survey et analyse
TB
Lene Ritz is Chief Risk Officer and Team leader for the Danish company Energinet since 2014. She has developed the ERM strategy and set up the risk management function at Energinet.
Lene participates in international works and networks including FERMA and has performed numerous speeches and presentations
Ralf Herold is Senior Vice President Corporate audit at BASF a German company. He is an expert in GDPR as Germany was a pioneer in this piece of legislation
TB
TB
PVB
PVB
TB
TB
PVB
PVB
TB
TB
Financial risk is surprisingly low (11% high)
Reputation risk is high on the agenda (47% high)
TB
PVB
Challenges identifiés dans le rapport – juste des keywords
Slide non affiché
Demander aux experts des recommandations clés pour les entreprises, sur la base de celles du rapport
TB – 1 reco pour les autorités
PVB – 1 reco pour les autorités