By French Caldwell
MetricStream Chief Evangelist
In what is becoming an annual event, MetricStream’s chief evangelist, French Caldwell, provides GRC & Fraud Software Journal readers with predictions for the upcoming year.
Data controllers and others face surge in complaints
In 2018, large data controllers, data processors, and privacy authorities will be found to be unprepared for a surge in requests and complaints by data subjects. The new EU GDPR expands the rights of EU citizens with several new rules, including the right to rectification, right to erasure, the right to object, and the right to restrict processing.
Privacy advocate groups will launch campaigns that drive large numbers of EU citizens to test these new rights. Many companies and government organizations will find they are vastly under-prepared to manage the large volume of requests and complaints.
Furthermore, many privacy authorities will not be prepared to manage the large number of complaints they receive. To prepare, data controllers should have robust case management processes in place, and they should assure their third party data processors do as well.
Likewise, privacy authorities should evaluate their complaint management processes and ensure they are ready for a large surge.
The first €1million or more penalty under GDPR
In the event of a data breach, the new EU GDPR regulation provides for large penalties, up to 4 percent of revenues or €20million, whichever is larger. With the number of large data breaches growing, it’s just a matter of time before a large breach occurs.
While typically with a new regulation, there is a period of adjustment where regulators work through enforcement priorities, in the case of GDPR European privacy authorities are under a very public spotlight.
The first few companies or government agencies with a large data breach will set the standard for enforcement – especially if they delay reporting it.
While Europe has had many fewer reported data breaches than the U.S. that could change with the mandatory requirement in GDPR to report breaches within 72 hours of becoming aware of them.
The best defense for data controllers and processors will be strong data protection and cybersecurity programs that are well tested, documented, and ready for an audit by privacy authorities.
Regulatory technology primary driver for GRC In 2018 and 2019, regulatory tech – which utilizes information technology to enhance regulatory processes – will emerge as the primary driver of technological innovation for the GRC market.
Just as biotech is driving innovation in the life sciences industry, and fintech is doing the same in finance, regulatory tech is starting to impact the research and development investments of major GRC providers.
Artificial intelligence and machine learning applied to both unstructured and structured data to discover new risk and threat insights are the obvious technical leaders of innovation, but not the only ones.
Alexa-like advanced chatbots will enable users to quickly navigate applications, create reports, and discover relationships between risks, controls, processes, performance, assets and other data objects.
Hybrid machine-human scoring of third party cybersecurity, financial, and sustainability risks will supplement onboarding and continuous monitoring programs.
Facial recognition will provide a new means of assurance for data access and separation of duties. To gain competitive advantage, GRC vendors will increase funding for regulatory tech initiatives both organically and through acquisitions.