6 Lloyd's Avenue London EC3N 3AX
+44 (0)20 7680 3088
  • About Airmic

    Airmic is a members’ association supporting those responsible for risk management and insurance within their own companies. We have nearly 1200 individual members who represent over 450 companies.


GDPR - risk managers must be at the heart of compliance


Cyber-security cannot be the sole responsibility of IT departments, and risk managers should become an integral part of implementing GDPR, according to the European risk management federation, FERMA.

FERMA recommends an enterprise-wide approach to GDPR compliance with risk managers taking over the new role of Data Protection Officer. It says there has been an enormous jump in awareness of the potential misuse of personal data this year, which has thrown the spotlight on companies, and the way they manage the data they hold.

The first priority for the risk manager, it says, is to ensure continuing compliance with GDPR as part of the organisation's management of digital risks. It describes it as "a continuing exercise in the fast-changing digital world."

A second priority is to understand the associated reputation risks. In addition to some potentially very large fines, a company could be forced to alter its business model as the result of a breach of GDPR. 

FERMA has called for organisations to create dedicated internal cyber governance groups, led by the risk manager, to address digital risks across the whole enterprise. The group would support the organisation in meeting its obligations under the GDPR and Network Information Security Directive, now transposed into member state laws, and in managing other cyber-risks. 

"We do not yet know how member states will begin enforcement of GDPR, but the consequences of non-compliance are potentially very serious," said FERMA president Jo Willaert.

"GDPR goes to the heart of the way that many large companies operate today and could affect opportunities they would like to gain from data. Data is one of the largest assets a company holds, so these are truly enterprise issues that affect strategic aspects of the board's mandate, including valuation, reputation and trust. The management of digital risks is a corporate issue that should be reflected in the governance of the company."