The Global Forensic Data Analytics Survey gauges the usage of forensic data analytics (FDA) for risk management and shows increasing concerns about regulatory compliance with data protection and privacy rules.
However, despite the fact that data protection/privacy compliance rank first among rising risk levels overall, GDPR compliance (which is about personal data) is far from a fact. Organizations are not ready to respond to requests in the scope of data subject rights nor requests from or duties towards data protection authorities.
Just as data and ‘digital’ play an increasing role in the risk management landscape, technologies such as advanced big data analytics, cloud and most of all artificial intelligence and robotic process automation or RPA shape the evolutions in forensic data analytics technology. An overview.
Increasing volumes of data and information come with increasing possibilities and opportunities in a digital transformation landscape where data obviously is an essential component, enabling organizations to move from raw data to innovation and valuable actions across myriad areas.
Yet, with ever more data and information and ever more digitization and digitalization come ever more risks as well.
And the more sensitive and mission-critical the data, information and digital processes and the more protected they need to be from various angles, the more important it becomes to monitor and manage them from a holistic risk management perspective.
Holistic risk management and forensic data analytics
Just as we’ve entered an era where cybersecurity, privacy, data protection and so forth need a holistic ‘by design’ approach, so does the ‘practice’ of risk management.
Sure, there are very specific areas of risk management (e.g. in capital projects or mergers and acquisitions), there is a range of industry-specific regulations and so on.
However, when looking at the main areas where rising risk levels are found we see a reality where, how else could it be, data and ‘digital’ are closely interconnected, also from a compliance perspective.
Regulatory compliance doesn’t just need to be ensured, compliance investigations or legal requests also need to be met and for large organizations this de facto means gathering and analyzing large amounts of structured and unstructured data. And of course there is more: insider threats, external fraud, theft of trade secrets, regulatory response overall, you name it.
The value of digital assets, increasingly including data and information, is not just something to leverage where possible but also to be protected and monitored where needed as is the case for areas where risks can have significant consequences in a broader scope. It’s here that we meet forensic data analytics or FDA technologies and solutions.
Essentially forensic data analytics is technology (and people, skills and processes to use it properly) designed to assess, manage and mitigate risk at scale (big data for big risks as EY once called it) and at the same time an evolving technology that has moved beyond the more basic FDA solutions.
Just as the technologies to evaluate, manage and mitigate risks, whether it concerns internal risks or fraud, money laundering, the risk of cyber breaches (and as said more than ever risks from a regulatory and compliance perspective) change, so do the main perceived risks for organizations, obviously depending on the nature of their activities.
The increasing concerns regarding data protection and data privacy compliance risks
EY, a provider of forensic data analytics solutions has been surveying global business leaders about the main risks they see for their corporations and the role (and usage) of forensic data analytics solutions in gauging, managing and mitigating those risks since 2014 when it conducted its first biennial EY Global Forensic Data Analytics Survey.
End January the results of the 2018 EY Global Forensic Data Analytics Survey were announced and they indeed show, certainly when comparing with the previous biennial surveys, some profound risk changes whereby especially data protection and data privacy compliance risks are a growing concern and even rank first in the list of areas where rising risk levels are reported, before cyber breaches and insider threats.
With increasing regulatory pressure being top of mind for surveyed business leaders, an impressive 78 percent of respondents is concerned about compliance with data protection and data privacy regulations.
Findings of the EY Global Forensic Data Analytics Survey 2018 on GDPR plans
Although compliance with data protection and data privacy is clearly on the mind of leaders in the scope of the overall legal, compliance and fraud risks global companies encounter and are worried about there are more than worrying signs in practice.
The report zooms in on one of the most significant changes in data privacy law and coming before several others (such as the EU’s ePrivacy Regulation) from a perspective of time (as a reminder: the GDPR or General Data Protection Regulation comes into effect on May 25th, 2018).
Surprisingly, even among these global companies GDPR compliance is far from a fact. According to the survey, conducted between October and November 2017, only 33 percent of respondents said they had a plan in place with GDPR
This is especially worrying as having a plan for GDPR compliance is about GDPR readiness and an ability to act when needed in the scope of breaches, regulatory requests, data subject requests and more. A real GDPR plan of action in the scope of compliance is not about GDPR awareness and a profound understanding of the impact of changed data subject rights, the duties of data controllers and of data processors and the legal bases for lawful processing of personal data such as consent, to name a few.
It is about actually being able to meet essential duties such as demonstrating compliance with personal data processing principles, enabling impactful rights such as the right to data portability, responding to requests from data protection authorities or data subjects and having the mechanisms in place when things do go wrong and the personal data breach notification duty starts to play, for example: a plan to act.
Global compliance plan differences and the risks of silos
As the Global Forensic Data Analytics Survey is by very definition global there are of course also global differences.
According to the press release from EY regarding the 2018 Global Forensic Data Analytics Survey, 60 percent of European respondents claimed to have a GDPR compliance plan in place with Germany being far ahead of all the others, as the country is ahead in cloud data security and protection too as previously reported.
In other markets there is still a lot more to do from the GDPR plan and readiness perspective. Regardless of the precise numbers, the picture clearly isn’t what it should be, especially as global companies and those types of companies surveyed aren’t exactly those who are least impacted by the GDPR and other regulatory changes, ranging from the mentioned ePrivacy Regulation to China’s Cybersecurity Law and South Africa’s Electronic Communications and Transactions Act.
To give you an idea: roundabout two-thirds of those surveyed work for organizations with revenues over 500 Million USD. The rest works in organizations with revenues between US$100m – US$500m. Over half works for organizations with revenues over 1 Billion USD.
More importantly, however, is that all respondents use forensic data analytics which almost by definition means that they are among those who are very aware of risks and often have risk management functions.
Then why do many lack a compliance plan for GDPR? Part of the answer is related with job functions and, as per usual, silos of course. A majority of respondents is head of internal audit or CRO, followed by a range of financial roles (CFO, financial controllers and more) and by functions such as head of compliance and head of legal.
Again, some areas of risk management are very specific. Yet, one can conclude that part of the issue no doubt is a siloed approach towards risk management whereby the focus of respondents is on those specific risk management factors, also depending on industry. If, as said, data and digital, also from a compliance perspective, are really starting to become key then perhaps it’s time to review this siloed approach.
Data protection and privacy regulation compliance and the role of forensic data analytics
Taking into account the regional differences how else can it be explained that 39 percent of respondents is not familiar with the GDPR, that 17 percent heard about it but didn’t take action yet and that at the time of the survey 11 percent was still studying GDPR and its scope?
One can indeed come up with other reasons. However, we shouldn’t overlook the fact that by far concerns regarding data protection and data privacy compliance have been found to be the number one rising risk level.
So, perhaps those who haven’t yet but should in the meantime have started or start working on their GDPR readiness plans. Although being pretty late, certainly given the types of organizations we’re talking about and the work to be done, that at least would be a step towards compliance and the demonstration of it, as well as avoiding GDPR fines.
Noteworthy is also that the Global Forensic Data Analytics Survey 2018 found that 13% of respondents stated they used FDA to achieve GDPR compliance at the time of the survey with another 52 percent of respondents being in the process of analyzing which FDA tools they would use to assist them in becoming compliant.
Digital technologies and data feeding risks and impacting the market and evolutions of FDA solutions
Although data protection and data privacy compliance, as well as cyber threats, rank high on the rising risk level and “a growing digital footprint comes with additional risks” there are of course more risks. Moreover, as per usual there is a flip side to risk and that digital footprint.
Evolving technologies, also on the front of data, big data analytics, and more shape the market evolutions with regards to forensic data analytics as solutions to measure, mitigate and, in general, manage risk as the attack surface increases.
While the landscape of risks has changed, the Global Forensic Data Analytics Survey 2018 obviously points to these forensic data analytics evolutions as well. Moreover, as a provider of forensic data analytics solutions, EY points out that adopting forensic data analytics technologies “can achieve significant advantages, benefitting from more effective risk management and increased business transparency across all of their operations”.
And that includes data protection compliance, cyber threats and more. With “across all of their operations” we’re also back at that holistic approach and those silos. In the end, we are talking about big data analytics, also on a solutions level. And when talking about big data analytics and forensic data analytics technology there is not just an increasing adoption of the solutions as such but also of the more advanced FDA technology whereby we encounter the mentioned robotic process automation (RPA) and artificial intelligence.
More on forensic data analytics and the Global Forensic Data Analytics survey 2018
While the data protection risk concerns are on the rise so is the impact of these concerns impacting the use of these advanced forensic data analytics solutions.
Although successfully leveraging FDA is not just a matter of the right technologies but also of the right people and skills, the tools of course matter too. Again, it’s a very holistic thing as all is or should be in an age of integration enabled by advanced technologies.
More on the report, fully entitled “How can you disrupt risk in an era of digital transformation? Global Forensic Data Analytics survey 2018”:
- in the press release with a focus on GDPR,
- on the overall findings, including GDPR, on the Global Forensic Data Analytics Survey 2018 landing page
- all the background and details in the full report (PDF, no registration).
Top image: Shutterstock – Copyright: 88studio – All other images are the property of their respective mentioned owners.