Motivation of DPIAThe DPIA will play a crucial part in categorising and assessing the privacy risks of Personally Identifiable Information (PII) in organisations. As a result, organisations should implement adequate processes to reduce risks and the impact of the risks to the PII of data subjects. In addition, organisations will have a mechanism for addressing the risk of non-compliance with the regulations, addressing IT operational risk whilst at the same time providing trust that will enhance competitive advantage. The DPIA can be considered as part of a broader risk management process that any organisation must implement and perform to address all relevant risks. DPIA analyses risks to PII and provides a mitigation process, using control measures related to the risks that are identified.
Scope of the DPIAInformation security aims to protect the confidentiality, integrity, availability, authenticity and auditability of information. Therefore, there is overlap with the scope of the DPIA. However, the DPIA aims to deal with compliance, accuracy, continuity and recovery, as well as other objectives of information and data security. Hence, DPIA deals with a much broader process. In a nutshell, a DPIA is an assessment of the risks to the rights and freedoms of data subjects, and the mitigating controls are provided to minimise such risks. This is to ensure that methods of protecting PII for compliance with the requirements of GDPR are specified.
Stakeholders and Responsibilities
- The GDPR owner (in many cases, the new Data Protection Officer [DPO] role) is responsible for conducting a DPIA.
- The risk owners are responsible for implementing controls to address and mitigate risks to privacy.
- The GDPR owner and the “Head of Risk” must check that correct controls are implemented to mitigate any risks identified in the DPIA process.
DPIA PhasesThe GDPR requires that data controllers/owners implement DPIA where certain kinds of processing of PII may are likely to increase the risk to the data subject. The DPIA must incorporate a systematic and extensive assessment of processes in organisations and how PII is protected. Thus, the DPIA process comprises the following phases:
Phase 1 – Determining the criteria for conducting a DPIA Phase 2 – Commencing the process Phase 3 – Data processing: Identification and characterisation of data subjects Phase 4 – Identification of privacy risks and risk assessment Phase 5 – Recommendation of solutions and residual risks Phase 6 – GDPR post-treatment compliance assessment Phase 7 – Providing DPIA report and approval Phase 8 – Review and maintenance and change management documentationThe above DPIA phases will assist organisations in identifying risks attached to PII during processing. Therefore, outlining the essential phases of the process will help organisations to allocate the right solutions and controls to mitigate risks to PII. The senior management team will then receive the right information to inform effective decision-making when setting budgets for process and planning.
Risk AssessmentGDPR suggests a risk-based approach to data privacy, but it does not dictate any specific methodology for the risk assessment. Risk assessment becomes even more relevant in relation to information security. However, it is important to distinguish between a “Risk Analysis” and a ‘Risk Assessment”. A risk analysis involves identifying threats to an organisation and analysing the related vulnerabilities to such threats. A risk assessment includes evaluating existing controls and assessing their competence in relation to the potential risks to the organisation. Every organisation must create its own risk profile to assess the risks based on business requirements and its own risk appetite. To initiate a risk assessment for GDPR data, the following steps are recommended:
- The identification of risk management tasks, responsibilities, activities, and budget
- The appointment of a risk owner with clearly-defined tasks
- Maintenance of the attributes of a defined risk: label, description, probability, and importance
- Mapping and classification of GDPR data
- The identification of the potential impact on the confidentiality and integrity of the data
- Planning controls for risks to PII that are identified as requiring mitigation
- Reporting identified risks and the effectiveness of controls
ConclusionThe GDPR encourages organisations to put sufficient processes in place as detailed above, so that risks to PII are minimised and the privacy of individuals is protected. Indeed, privacy is a core principle at the heart of the new regulations. In addition, the regulations place emphasis on the need for robust governance by data controllers, so that organisations have good oversight of their processing activities, providing an extra layer of assurance for individuals that their PII is well protected. The GDPR also emphasises the need for suitable processes, such as the DPIA to be implemented to support data processing activities. Organisations taking a methodical approach to the introduction of new processes and appointing the new roles, such as Data Protection Officer, in a timely manner well in advance will be best placed to successfully adopt and adapt to the new rules. As we have demonstrated, risk assessment will support the identification of business activities requiring redesigned processes by identifying the information assets to be protected, the potential risks to the individuals and indeed the business itself if these are not protected, and clear channels for providing transparency over this process and ultimately assurance of compliance for business owners. About the Authors: