Privacy espresso seriesApril 14, 2022Part 1: Why never separate data privacy from GRC

In this privacyespresso Andreas von Grebmer, Information Security Advisor at Wizlynx group explains why businesses should never separate data privacy from Governance Risk Management & Compliance(GRC).

After studying GRC for almost 20 years in regulated and unregulated industries Andreas shared his insights in order to raise awareness on this topic. In fact, even if there is no silver bullet solution to prevent security issues, the following approach would certainly strengthen business security.

Since the implementation of the GDPR, everything under the GRC viewpoint started to be regulated more in detail. However, this also requires higher efforts to comply with regulations, as the risk of non-compliance is increased. As a result, there are now more requirements coming towards organizations.

The general business approach to this “matrix organization”, is to create a very complex set-up consisting in dividing the company’s activities into “silos”. This silos’ structure is quite logical but also brings some disadvantages, such as:

  • Not considering the overlapping among certain requirements by keeping sectoral management. This makes synergies among different departments more complex.
  • Risk Management is performed in Silos, by functions, (e.g. Environmental Risks, Financial Risk, Cyber Risk, Data Privacy) making it more difficult to have a clear overall picture of the real exposure of the Assets.
  • Lack of centralized repository of information assets. This can lead to problems as very often information has different owners.

All these points lead to a fragmented landscape producing higher operational costs and media breaks mining data integrity.

On the contrary, integrated implementation of Security, Data Privacy, and GRC ensure that costs are saved and resources are used wisely. Having access to all data in a centralized decision making would ease the entire business process as the company manager would:

  • have a clear picture of what they have, who owns certain data, how they should be protected, and how they are protected at the given time.
  • be able to better and faster respond to different laws and regulations requirements and manage their implementation within the organization.
  • have an instant overview of risks and controls together with the Stakeholders.
  • keep the knowledge of experts in case they leave.

This approach should lead to dissolving Silos in order to centralize the operations. However, this approach works only if driven by the leadership of the company, so it is key for them to understand the advantages of such an approach in order to release the resources for its implementation.

Finally, according to Andreas, to centralize operations a phased approach is recommended. Companies should take one or two important use cases and start from them.