GDPR Risk Register Example + [Free Template]
Published: January 29th, 2021
Author: Matthew Quinn
Categories: Risk Management
Getting started with risk management can be difficult, which is where our GDPR Risk Register Example can help. In this article, we will explain the relationship between GDPR compliance and risk management. We also provide a GDPR Risk Register Example Template, which can be used to help with GDPR risk management!
GDPR is an EU Data Protection regulation first released in 2016. It formally came into effect in May 2018.
The law regulates how organizations must handle personal identifiable information (PII), and what rights data subjects (‘the owners’). This includes how organisations collect and use personal data.
Anyone who is a citizen of a country that is a member of the EU or the EEA will be covered by this regulation. Meaning that any organization outside of the EU collecting or processing the PII of an EU citizen must comply with GDPR.
The maximum fine for a breach of GDPR is 20 Million Euros or 4% annual turnover, whichever is higher. Although the amount that organisations were fined was lower during the first year after GDPR came into force, it has dramatically increased in 2020.
Risk Management in GDPR
Risk Management is an important part of data protection.
While it might seem straightforward enough to just implement a control for every single requirement of the regulation, not everything will go according to plan.
A fully operational risk management process helps your organisation identify previously unforeseen risks, and ensures you remain compliant.
Moreover, in certain circumstances, the GDPR requires organisations carry out a specific type of risk assessment.
DPIAs (Data Protection Impact Assessments) are required anytime you process Personal Data in a manner likely to be considered “high risk”.
Article 35 of the GDPR “ Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
Much like risk management, GDPR is a board-level issue and should involve all stakeholders. The IT Department alone cannot undertake the project alone as GDPR affects all the functions of an organization. Sales, Marketing, Finances and other departments may be processing or collecting data. This means that GDPR applies to them too.
A Team involving every department that collects or processes data should be assembled in order to tackle GDPR and ensure that the organization is compliant at all levels. It is also more appropriate for each of the functions in the organization to manage risks as they are more familiar. Organize a risk identification and assessment team for each of the functions that would involve data collection or processing.
What is a Risk Register?
A Risk Register is an archive of an organisation’s: documented risks, their risk levels, and current/planned actions to mitigate the risks.
Risk Registers come in all shapes & sizes, from spreadsheets to specialist software.
Organizations can use this document for general risk management, e.g: identifying, tracking and coming up with a risk treatment plan.
It is also useful to have this documentation for regulatory compliance purposes, as well as evidence for continual improvement.
Risks are assigned a risk owner. – An individual who is ultimately accountable for the risk to ensure that it is managed properly.
A template of a risk register should include the following:
- Risk – i.e. Employees Click on a Phishing Email
- Potential Consequences – i.e. Malware infects network/devices, Login Accounts Compromised, Loss of Data
- Risk Score – how likely Is the risk to occur and how big the impact if the risk were to occur. i.e. highly likely and huge impact.
- Decision on whether to reduce the risk – Should action be taken?
- Action that will be carried out to reduce risk – Anti-Phishing software, Employee Training
There are many forms of risk identification techniques that you can adopt. The most important thing is documenting it as it can be later used for further risk identification.
Think of the consequences that the risk may bring, oftentimes there is a snowball effect. One risk occurring may lead to others. For example, if an employee clicks on a phishing email, the immediate consequences could be their account becoming compromised.
Further consequences appear if this is the case, now that their account is compromised, the data that they have access too could also be compromised.
If that data happened to be PII or Sensitive information then we have a big problem on our hands. This would be a direct breach of GDPR and the organization could face heavy fines.
In the context of GDPR, organisations should assess the risks of controls failing to ensure legal compliance. Whether this is due to technical controls or processes such as consent collection. It is important to have safeguards in case such processes fail.
Having a risk register will help organizations assess risks and allow them to review processes and controls to ensure that they are compliant.
GPDR Risk Register Example Template
The GDPR Risk Register Example template that we have provided is in the format of the template description above.
We have listed some GDPR risk examples, however the risk scoring should be determined by your organization based on circumstances and existing controls.
- Periodically identify and assess risks
- Be thorough with your risk identification and prioritize the risks that have been rated to have the highest scores.
- Choose a risk acceptance score (Maximum risk score that can be accepted without further implementation of controls). That is decided by your board.
- Reduce all risk so that it is all within the risk acceptance score.
- Review periodically.