Data protection risk management guide
Data protection risk management guide

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • Data protection risk management guide
  • Why you need to manage this risk
  • Top five priorities
  • 1. Responsibility and accountability
  • Do you have to appoint a DPO under the GDPR?
  • If not, should you formally appoint a DPO?
  • Can you appoint an external DPO?
  • Responsibility for data protection—mini action list
  • 2. Know your data
  • What personal data does the organisation hold?
  • More...

Brexit: As of exit day (31 January 2020), the UK is no longer an EU Member State, but it has entered an implementation period during which it continues to be treated by the EU as a Member State for many purposes. The UK must continue to adhere to its obligations under EU law, including in relation to data protection, and the ICO has confirmed the GDPR will continue to apply during the implementation period. For more information, see: Practice Note: Brexit—implications for data protection.

Why you need to manage this risk

Data protection is one of the most challenging areas of risk management—the law is complex and wide-ranging, it operates at domestic, EU and international levels, is in a constant state of flux and subject to several ongoing legal challenges.

Failing to comply with data protection requirements under the EU General Data Protection Regulation (GDPR) can expose an organisation to serious reputational damage, claims by aggrieved data subjects and fines up to €20m or up to 4% of the total worldwide annual turnover.

Top five priorities

The table below identifies five key priorities for data protection risk management and gives the heads-up on why each one is a priority area.

Each priority is then explained in further detail in the main body of this Risk management guide, including a series of mini action lists that:

  1. suggest action points for each

Popular documents