The General Data Protection Regulation (GDPR) has provided a basis for carrying out a Data Protection Impact Assessment (DPIA) as laid out in Article 35(7). It kicks off by providing a sequenced inventory of proposed data processing methods and purposes. The GDPR requests that concerned data subjects must be involved in every decision taken about the processing of their personal data and details of proposed measures to identify and remedy any perceived risks. Protecting personal data by complying with the GDPR will only be achieved by incorporating within an organisation, proactive measures to safeguard and protect personal data with certified and valid security mechanisms.
This will need to evolve and change to continue to provide a high level of protection with the use of compliant policies, processes and procedures.
Some examples of safeguards that are considered best practice for organisations to adopt include:
- Privacy by design
- Regular audits and testing network security
- Security policies for physical and virtual equipment
- Regular GDPR staff training – your team must know how to correctly utilise security equipment, for example, firewalls and new security features.
Also, the Data Protection Impact Assessment (DPIA) should contain a comprehensive list of the measures to be taken in the event of a breach of personal data. A Data Protection Impact Assessment (DPIA) should form an integral component of an organisation’s policies and procedures where there is a real risk to the rights and privacies of data subjects whose personal data is stored and processed by that organisation.
✓ When is the Data Protection Impact Assessment (DPIA) mandatory for an organisation?
A Data Protection Impact Assessment (DPIA) will be mandatory in cases where organisations embark on certain types of high risk or high impact projects or processing, including:
- Large scale projects or processing
- Monitoring and analysing
- Automated decision making and profiling
- Vulnerable data subjects
- Transfers of personal data outside the EU
- Processing of sensitive data
Situations in which a Data Protection Impact Assessment (DPIA)would not be imperative, is where it projects or the processing is deemed to be a less risky or where organisations have already started and carried out a Data Protection Impact Assessment (DPIA) in a similar but different context to comply with legal obligations.
Managing risk is a critical process for organisations, who will need to focus on what the risks are and the resulting impact, not only on the rights of the individual but also the organisation itself as a result of a potential data breach.
Benefits of incorporating a rigid risk assessment policy
The organisation will benefit from an enhanced reputation, resulting in being more attractive to customers, will be more efficient in delivering quality goods and services and also will be compliant with other legal obligations to prevent other commercial risks such as fraud. Clients, employees, and customers will benefit from improved GDPR data protection and privacy.
Society will enjoy the benefit in a broader sense as services will be delivered with greater efficiency, transparency, and fairness along with guarding against cyber-attacks, fraud, file sharing, piracy, computer viruses, spam, email hacking etc. While there is no set definition of the concept of “risk” the General Data Protection Regulation (GDPR) provides some guidance for organisations on how to determine if a project or processing poses a risk to the privacy of individuals.
However, the purpose of implementing a risk assessment policy, and the main focus of the General Data Protection Regulation (GDPR) is that any adverse risk to individuals is reduced as much as reasonably possible using reasonable and practicable controls and systems such as best practice management and technology. Types of risks that need to be minimised include:
- Financial loss
- Physical threats or injuries
- Identity theft
- Leaking of confidential information
- Damage to reputation
- Intrusion into private life
Other risks may be included in the list, such as societal risks but this category would need some further guidance to clarify their meaning in the context of GDPR compliance and to assist organisations in carrying out and implementing their important risk analysis.
Lead supervisory authority
Data controllers and processors who discover that the processing carried out by their organisation will result in a high risk of harm in the event of a data breach will need to consult their appointed lead supervisory authority (LSA) who will have responsibility for dealing with this type of data processing activity.
Consultation has to be carried out prior to any data processing with the data controller providing detailed information as to the accountabilities of the organisation in reference to the purposes and mechanisms of the processing to be taken out, measures for safeguarding and protecting the personal data and contact information for the Data Protection Officer (DPO).
The LSA will also want to know how a Data Protection Impact Assessment (DPIA) will be incorporated into the processing operation, how this will be overseen and by whom. Typically, the Data Protection Officer (DPO) will have the role of supervising the implementation of the Data Protection Impact Assessment (DPIA) and will be responsible for identifying:
- At what point the processing is expected to bring about a risk to the data
- Details of the duties and responsibilities of the DPO
- Regular and systematic assessments of the planned processing
- Identifying the risks
- Listing necessary measures to mitigate such risks
- Putting together a system and planned measures to assure compliance
Other detailed GDPR data protection issues to be incorporated and provided to the LSA will be:
- The origin of the data
- The procedures of processing
- Location of processing
- Applicable stakeholders
- Processing methods used for deletion and anonymisation
Finally, the organisation, alongside all the relevant bodies, key stakeholders and DPOs, will formulate a strategy and plan for implementation.
The Data Protection Impact Assessment (DPIA) will involve formulating complete policies and procedures for locating the risky areas and together with detailed recommendations as to how to address and remedy each risk area by the use of a scoring technique, which will, in turn, provide a dynamic document for future progress and improvement.
✓ GDPR summary
Data Protection Impact Assessment (DPIA) is mandatory for many organisations and the General Data Protection Regulation (GDPR) allows for a certain level of flexibility within a “risk-based” approach that can adapt and change in line with technology and processing methods.
If it transpires that your organisation falls under the category of for whom it is mandatory to conduct a Data Protection Impact Assessment (DPIA) and it is not GDPR compliant, then it is vulnerable to hefty fines of up to €20 million or 4% of the total global annual turnover (whichever is the higher).