Since the introduction of the General Data Protection Regulation (GDPR) in May 2018, organisations that control the processing of personal data – known as data controllers – must report personal data breaches to their supervisory authority if there is likely to be a risk to data subjects’ rights and freedoms. Where feasible, this must be done within 72 hours of becoming aware of the breach. Failure to do so leaves organisations open to the possibility of administrative fines of up to €10 million or 2% of annual global turnover – whichever is greater.
A comprehensive risk assessment will help you identify and assess the risks that are relevant to your organisation and environment, and establish the potential impact of a data breach on both your business and data subjects.
It will also help you implement suitable measures to treat and manage those risks.
By following a proven risk assessment process and framework, you will be able to identify and assess the risks you face, and establish the potential impact of those risks on the confidentiality, integrity and availability of data – as required by the GDPR.