Listen to Article
The GDPR has provided a basis for carrying out a Data Processing Impact Assessment (DPIA) as laid out in Article 35(7). It kicks off by providing a well-ordered list of proposed data processing methods and purposes.
The GDPR requests that relevant data subjects be involved in any decisions pertaining to the processing of their personal data, along with details of proposed measures to identify and remedy any perceived risks.
Protecting personal data by complying with the GDPR will only be achieved by incorporating within an organisation, proactive measures to safeguard and protect data with certified and valid security mechanisms.
Best practice security policies
These will need to evolve and change continually to provide a high level of protection.
Such safeguards include:
» Data by design
» Regular auditing and testing network security
» Security policies for physical and virtual equipment
» Regular personnel training – your team needs to know how to correctly use security equipment, for example, firewalls and new security features.
In addition, the DPIA should contain a comprehensive list of the measures to be taken in the event of a breach of personal data.
Ergo, a DPIA should form an integral component of an organisation’s policies and procedures where there is a real risk to the rights and privacies of data subjects whose data is stored and processed by that organisation.
A DPIA will be mandatory in cases where organisations embark on certain types of processing, including:
- Large-scale processing
- Monitoring and Analysing
- Automated decision making and Profiling
- Vulnerable data subjects
- Transfers of data outside the EU
- Processing of sensitive data
There is a very useful list and a guided checklist for organisations on the ICO Website that organisations should refer to when formulating their DPIA.
Situations, where a DPIA would not be mandatory, is where it is deemed to be a low risk or where organisations have already embarked on and carried out a DPIA in a similar but separate context, or to comply with legal obligations.
Managing risk is a critical process for organisations, who will need to focus on what the risks are and the resulting impact on, not only the rights of the individual but also the organisation itself, in the result of a data breach.
Benefits of incorporating a rigid risk assessment policy
The organisation will benefit from an enhanced reputation, resulting in being attractive to customers, to be more efficient to be able to deliver quality goods and services and also be compliant with other legal obligations to prevent other commercial risks such as fraud. Clients, employees, and customers will benefit from improved GDPR data protection and privacy.
Society will benefit in a broader sense as services will be delivered with greater efficiency, transparency, and fairness as well as guarding against cyber-attacks, fraud, file sharing, piracy, computer viruses, spam, email hacking etc.
Whilst there is no set definition of the concept of “risk” the GDPR has provided some guidance to be interpreted by organisations as to what they may qualify or conclude to be a risk to the privacy of individuals.
However, the purpose of implementing a risk assessment policy, and the main focus of the GDPR is that any adverse risk to individuals is reduced as much as reasonably possible using reasonable and practicable controls and systems such as best practice management and technology.
Types of risks that need preventing or minimising would be
- Financial loss
- Physical threats or injuries
- Identity theft
- Leaking of confidential information
- Damage to reputation
- Intrusion into private life
Other risks may be included in the list, such as societal risks but this category would need some further guidance to clarify their meanings in the context of GDPR compliance and to assist organisations with carrying out and implementing their necessary risk analyses.
Lead Supervisory Authority
Data controllers and processors who ascertain that the processing carried out by their organisation will result in a high risk of harm in the event of a data breach will need to consult their appointed lead supervisory authority (LSA) who will have responsibility for dealing with this type of data processing activity.
Consultation will need to be carried out prior to any processing of data with the data controller providing detailed information as to the responsibilities of the organisation in reference to the purposes and mechanisms of the processing to be carried out, measures for safeguarding and protecting the personal data and contact information for the GDPR Data Protection Officer, (DPO).
The LSA will also want to know how a DPIA will be incorporated into the processing operation, how this will be overseen and by whom.
Typically, the DPO will have the role of overseeing the DPIA incorporation and will be responsible for identifying:
- At what point the processing is expected to bring about a risk to the data
- Details of the duties and responsibilities of the DPO
- Regular and systematic assessments of the planned processing
- Establishing the risks
- Listing necessary measures to mitigate such risks
- Putting together a framework and planned measures to ensure compliance
Other detailed GDPR data protection issues to be incorporated and provided to the LSA will be:
» The origin of the data
» The procedures of processing
» Location of processing
» Applicable stakeholders
» Processing methods used for deletion and anonymisation
Finally, the organisation, together with all the relevant entities such as stakeholders and DPOs will formulate a strategy and plan for implementation.
The DPIA will form a document of all the policies and procedures for identifying the areas of risk and together with detailed recommendations as to how to address and remedy each risk area by the use of a scoring technique, which will, in turn, provide a dynamic document for future progress and improvement.
DPIAs are mandatory for many organisations and the GDPR allows for a certain level of flexibility within a “risk-based” approach that has the ability to adapt and change in line with technology and processing methods.
Organisations who have not considered carrying out an assessment to ascertain if the data they manage is a high risk now is the time to focus on this area to ensure GDPR compliance.
If it transpires that your organisation falls under the category of mandatory DPIA requirements but is not GDPR compliant, the GDPR fines are, up to €20 million or 4% of the total global annual turnover, whichever is the higher, may be levied upon the organisation.