The General Data Protection Regulation (GDPR) has provided a basis for carrying out a Data Processing Impact Assessment (DPIA) as laid out in Article 35(7). It kicks off by providing a sequenced inventory of proposed data processing methods and purposes. The GDPR requests that concerned data subjects must be involved in every decision taken about the processing of their personal data and details of proposed measures to identify and remedy any perceived risks. Protecting personal data by complying with the GDPR will only be achieved by incorporating within an organisation, proactive measures to safeguard and protect personal data with certified and valid security mechanisms.
This will need to evolve and change to continue to provide a high level of protection with the use of compliant policies, processes and procedures.
Some examples include:
- Privacy by design
- Regular audits and testing network security
- Security policies for physical and virtual equipment
- Regular GDPR staff training – your team must know how to correctly utilise security equipment, for example, firewalls and new security features.
✓ When is the Data Protection Impact Assessment (DPIA) mandatory for an organisation?
A Data Protection Impact Assessment (DPIA) will be mandatory in cases where organisations embark on certain types of high risk or high impact projects or processing, including:
- Firstly, Large scale projects or processing
- Secondly, Monitoring and analyzing
- Thirdly, Automated decision making and profiling
- Vulnerable data subjects
- Transfers of personal data outside the EU
- Processing of sensitive data
Managing risk is a critical process for organisations, who will need to focus on what the risks are and the resulting impact, not only on the rights of the individual but also the organisation itself as a result of a potential data breach.
Benefits of incorporating a rigid risk assessment policy
The organisation will benefit from an enhanced reputation, resulting in being more attractive to customers, will be more efficient in delivering quality goods and services and also will be compliant with other legal obligations to prevent other commercial risks such as fraud. So, Clients, employees, and customers will benefit from improved GDPR data protection and privacy.
Society will enjoy the benefit in a broader sense as services with greater efficiency, transparency, and fairness along with guarding against cyber-attacks, fraud, file sharing, piracy, computer viruses, spam, email hacking etc. While there is no set definition of the concept of “risk” the General Data Protection Regulation (GDPR) provides some guidance for organizations on how to determine if a project or processing poses a risk to the privacy of individuals.
However, the goal of putting in place a risk assessment policy and the main objective of the General Data Protection Regulation (GDPR) is to reduce any negative risk. Risks of the following kinds should be minimized:
- Financial loss
- Physical threats or injuries
- Identity theft
- Leaking of confidential information
- Damage to reputation
- Intrusion into private life
Lead supervisory authority (Data processing impact assessment)
Data controllers and processors who discover that the processing carried out by their organisation will result in a high risk of harm in the event of a data breach will need to consult their appointed lead supervisory authority (LSA) who will have responsibility for dealing with this type of data processing activity.
Prior to any data processing, consultation must take place, with the data controller providing thorough information regarding the organization’s responsibilities with regard to the purposes and mechanisms of the processing to be carried out, measures for safeguarding and protecting the personal data, and the Data Protection Officer’s contact information (DPO).
The LSA will also want to know how a Data Protection Impact Assessment (DPIA) incorporates and by whom. Typically, Data Protection Officer (DPO) will have role of supervising implementation of Data Protection Impact Assessment (DPIA). And will be responsible for identifying:
- Point of risk
- Details of the duties and responsibilities of the DPO
- Regular and systematic assessments of the planned processing
- Identifying the risks
- Listing necessary measures to mitigate such risks
- Putting together a system and planned measures to assure compliance
Other detailed GDPR data protection issues to be incorporated and provided to the LSA will be:
- Firstly, The origin of the data
- secondly, The procedures of processing
- Thirdly, Location of processing
- Applicable stakeholders
- Lastly, Processing methods used for deletion and anonymization
Finally, the organisation, alongside all the relevant bodies, key stakeholders and DPOs, will formulate a strategy and plan for implementation.
So, The Data Protection Impact Assessment (DPIA) will involve formulating complete policies. Procedures for locating the risky areas. And together with detailed recommendations, how to address and remedy each risk area by the use of a scoring technique. Which will, in turn, provide a dynamic document for future progress and improvement.
✓ GDPR summary
Data Protection Impact Assessment (DPIA) is mandatory for many organizations. And the General Data Protection Regulation (GDPR) allows for a certain level of flexibility within a “risk-based” approach. That can adapt and change in line with technology and processing methods.
Therefore, If it transpires that your organisation is under category for whom it is mandatory to conduct a Data Protection Impact Assessment. And it is not GDPR compliant. Then it is vulnerable to hefty fines of up to €20 million or 4% of the total global annual turnover.