News reports sometimes remind us that there is a Russian-nesting-doll quality to the risks that modern corporations face. Dig into the details of one risk source and sometimes, what you’ll find is just another type of risk, which makes it tough to understand your overall risk profile..
Take what’s happening with Didi Global, the Chinese ride-hailing platform, as an example.
China’s internet regulator recently fined the company a jaw-dropping $1.2b, around five percent of revenue, as punishment for flouting the country’s cybersecurity, data security and personal information privacy laws. “The nature of the issue was vile and it should be punished severely,” one regulatory official told Xinhua, China’s state-run news agency.
The headline of this action in The Wall Street Journal, like most reporting on it, frames it as a penalty for cybersecurity breaches. But that’s not all that had transpired. Per the Journal:
Didi had collected excessive personal information on many of its users, including their ages, facial and job data and the home and office locations of users, according to a transcript of comments by the unnamed official that was published by Xinhua. …
Didi said in a statement on its official social-media account that it “sincerely accepted and will resolutely comply” with the regulatory decision and other rules. The company said it would comprehensively re-examine its practices and work with regulators to make necessary changes.
Set aside the amount of the fine of these particular infringements, which doesn’t have a historical equivalent in the U.S. market. The actions being penalized are not necessarily beyond what many organizations do today. Tech companies build entire businesses off of collecting and monetizing user data. This is so regular and routine that it even has its own cliche, “if you’re not paying for the product, then you are the product.” Over time we will likely see other regulators bring similar actions.
The example also highlights the importance of having in place a near real-time holistic approach to understand and manage your organization’s risk profile.
OptimEyes Unified Common Control Framework provides organizations a powerful way to understand and manage multiple regulations and risk framework standards with the minimum of effort. The ability to efficiently analyze overall risk profile in a complex and rapidly changing regulatory environment is key to operationalizing and creating a single source of truth – an important step in understanding the impact of enterprise risk on business goals.
Our Common Control Framework:
- Creates a single source of truth across multiple frameworks.
- Enables rapid performance of control assessments through custom carve-outs.
- Avoids duplication of effort by conducting multiple control assessments at one time.
- Identifies controls that are failing and in need of urgent attention.
- Generates a single set of dashboard analytics and a unified view of overall risk profile.