The European Union's General Data Protection Regulation, or GDPR for short, takes effect on May 25, just three months from now. It's the biggest new compliance regulation in many years, and businesses that are unprepared may face some unpleasant consequences.
That's where a data protection impact assessment, often shortened to DPIA, can help. We'll get more into what a DPIA is and how to conduct one in a minute -- after a reminder of just how sweeping the new GDPR regs are and just how many businesses they'll affect.
GDPR's rules on user data management, privacy and security don't just apply to European firms. Any company, regardless of where it's based, is affected if it has customers in the region. That includes vendors that ship goods to European customers, along with online services, cloud products and web applications that are available to European users.
Mishandling user data can come at a steep cost under GDPR. The penalty for playing it fast and loose with personally identifiable information and other sensitive data can be as high as four percent of a company's global annual revenue.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
Also key to that readiness and assuring your organization's risk management policies cover all the bases is a data protection impact assessment (DPIA).
Here's what Article 35(1) of GDPR on the DPIA states:
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
An example of the activities that require a DPIA include automated processing that involves evaluating or profiling a user's personal data. When carrying out an assessment, the law specifies seeking out the advice of a data protection officer, if one is appointed. After it is determined that a DPIA is indeed required, it's time to get started.
How to conduct a GDPR data protection impact assessment
Although approaches may differ slightly, DPIA templates typically hit a few major points. For those curious, Article 35(7) spells out what an assessment should contain at the very minimum. The Article 29 Working Party's guidelines on DPIA are also worth a download.
It is important to note that if your organization has already run privacy impact assessments (PIAs), there are differences between the two despite some overlap. Traditional privacy risk assessments may fall short of satisfying the GDPR requirement, although elements may carry over and help inform a DPIA.
Here's a handy DPIA checklist:
- Determine the circumstances in which a DPIA is required
Consult the regulation. Aside from Article 35, Articles 5 through 11 provide important guidelines placing limits on personal data collection and processing. Chances are that your business will need a DPIA. And while you're at that link, read all 99 articles of the regulation -- because you can't afford not to. The first 50 articles all concern handling of personal data.
Can't tell if DPIA applies to your business? Seek out the expertise of your data protection officer and compliance teams to determine what types of personal data are collected and how. Don't have the expertise in house? Consultants and external experts may be called for.
- Detail how information is processed and circulates while conducting business
It's time to take stock of the types of information collected by your organization, how it is processed and the purposes behind the data processing practices of the data controller, which is how the GDPR describes entities that determine how data is processed. Keep in mind how information flows, not only regarding your own systems, but also between third parties and whether it crosses in and out of the EU's borders.
Having trouble with this step? It's time to catalog how and where user data is processed and the privacy policies governing the management of that data. Your chief data officer and IT department will play a critical role here.
- Identify the risks
This requires a risk assessment that determines the impact that the forms of data processing employed by an organization has on the "rights and freedoms of data subjects," the law decrees. Are they at risk of being undermined by lax privacy programs and security controls? Investigate and record your findings.
- Determine the appropriate safeguards
Establish the personal data protection and security solutions and procedures required to counteract the risks you identified in the previous step.
Having trouble? Now is a good time to tap into the expertise of both your compliance and IT security teams.
- Draw up your DPIA and live by it
Create a formal report that contains the above elements and implement the personal data protection controls, security mechanisms and procedures that will help your organization comply with GDPR. A good faith effort is critical if you want to avoid becoming a GDPR cautionary tale.
Pedro Hernandez is a contributing editor at eSecurity Planet. Follow him on Twitter @ecoINSITE.