The General Data Protection Regulation (GDPR) act will come into force in May 25, 2018. Organizations will need to review their ability to comply with GDPR. Organizations are feeling the urge to getting things done. To help navigate through this process with meaningful information, our subject matter experts will write blogs addressing important steps that your organization may want to take.
It is good to understand the pivotal role of Governance, Risk Management and Compliance (GRC) solutions can play to assist companies in GDPR compliance. The blog series will focus on how GRC solutions help form a holistic approach that amplifies, among other things, practice efficiencies, as many organizations are facing other regulatory obligations. We hope you will find this blog series helpful. Moreover, we are happy to answer any questions you may have about our GRC solutions.
The first step is having a summary visual that provides the foundation for all aspects of GDPR obligations. This visual will be used as a guideline for our blog posts. Below a summary outline of blog topics:
- Record of processing activities
- Initial Assessment & Data Protection Impact Assessment (DPIA)
- Risk Treatment & Data breach management
- Action Management & Reporting
- Role of the DPO
Initial Assessment & Data Protection Impact Assessment (DPIA) (Article 35)
In the first blog , we addressed the records of processing as one of the first steps towards GDPR compliance. In this blog, we will outline the Initial Assessment and Data Protection Impact Assessment (DPIA).
To determine if an application processes personal data of European citizens and therefore must comply with GDPR, an impact analysis needs to be performed to indicate the privacy risk level. Each asset, such as application and database, in the organization needs to be rated on a predefined set of questions involving its use, disclosure, purpose, and an evaluation of personal data resulting in a risk rating level assessment.
The Data Protection Impact Assessment (DPIA) ( article 35 of the GDPR) serves to determine, for new assets or projects in the company, if compliance with 'privacy by design' and 'privacy by default' ( article 25) is met. Privacy by default simply means that the strictest privacy settings automatically apply once a customer acquires a new product or service. In other words, no manual change to the privacy settings should be required on the part of the user. There is also a temporal element to this principle, as personal information must by default only be kept for the amount of time necessary to provide the product or service.
Privacy by design means that each new service or business process that makes use of personal data must take the protection of such data into consideration. An organization needs to be able to show that they have adequate security in place and that compliance is monitored. In practice this means that an IT department must take privacy into account during the whole life cycle of the system or process development.
When taking a privacy by design approach it is important to reduce privacy risks and building trust. A privacy by design approach can also lead to the following benefits:
- Potential problems are identified earlier
- Simpler problem solving with less costs
- Increased awareness of privacy and data protection across the organization
- Increased likelihood to meet legal obligations
- Organizations will be less likely to be in non-conformance with GDPR
- Actions are less likely to be privacy intrusive
The DPIA is used to establish what the risk impacting rights and freedoms of data subject on an organization would be - taking into account existing controls and measures. The DPIA's outcome, frequently referred to as the residual risk, provides the basis for management's decision to accept or treat the risk.
DPIA - what should it contain and when to carry out?
In general, the DPIA should include the data, e.g., measures, safeguards, and mechanisms, envisaged for mitigating the identified risks. A DPIA will shed light on the exposure that privacy risk can bring to an organization. An impact assessment helps to identify and address risks at an early stage by analyzing how the proposed uses of personal information and technology will work in practice. Unwanted exposures are mitigated through action plans.
According to the GDPR act, a DPIA asks four questions for organizations' to answer:
- What kind of personal information will be collected in the project?
- How it is collected, used, transmitted, and stored?
- How and why it can be shared? and
- How it is protected from inappropriate disclosure?
According to the GDPR, a DPIA should focus on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by their nature, scope, context, and purposes. A DPIA is considered to be carried out when personal data is:
- Evaluated or scored
- Subject to automated-decision making with legal or similar effect
- Systematically monitored
- Sensitive data or data of a highly personal nature
- Is processed on a large scale
- Used for matching or combining datasets
- Concerning vulnerable data subjects
- Used for innovative use or applying new technological or organizational solutions or
- Prevents the data subject from exercising a right or using a service or a contract
In some cases, the supervisory authority may also establish, and make public, a list of the kind of processing operations for which no data protection impact assessment is required. These are communicated by the supervisory authority. Besides, it may be the case that a data protection impact assessment has already been carried out as part of a general impact assessment. In that case, the organization will need to carry out a review to assess if processing of personal data is performed well. At a minimum, this should be done when there is a likelihood of, and severe change in, a processing operations risk.
Following our navigation of the GDPR Compliance visual, we have discussed the records of processing, initial assessments and data protection impact assessment. Our road towards GDPR compliance continues with the next blog post that will address risk treatment and data breach management.
How Nasdaq BWise can help organizations comply with GDPR
Nasdaq BWise enables organizations map the landscape of where personal data is processed within your organization's IT environment to produce consolidated reporting in support of GDPR compliance .
Illustrative benefits to using the BWise GDPR Compliance Solution:
- Efficiently collect, access, transfer, or share data assets
- Safeguard data privacy and data protection
- Determine the privacy risk level in the organization, based on a predefined set of questions involving answers on the use, disclosure, purpose, and evaluation of personal data resulting in a high, medium or low risk level
- Determine with a Data Protection Impact Assessment (DPIA) if compliance with 'privacy by design' and 'privacy by default' is met for new assets or projects in the company
- Establish an estimate of the risk impacting rights and freedom of the data subject and the support for risk acceptance or treatment.
- Determine which set of baseline requirements are already implemented or planned and where additional requirements need to be implemented to accept the residual risk.
- Powerful process workflows to ensure that policies to comply with GDPR are developed, approved, applied, and consistently improved.
- Integrated data feed management to allow integrations with Configuration Management Databases (CMDBs)
- Allows for the recording and notification of any incident to all relevant internal stakeholders within established thresholds
- Reports and dashboards that provide different analyses of GDPR conformance, including a statement of GPDR compliancy
- Central view on compliance data for easy tracking and monitoring of activities and actions to assure GDPR compliancy
GDPR is evidence that the topic of data privacy will continue to garner interest, especially as both the business and consumer environment are changing rapidly. Topics, such as the Internet of Things, disruptive technologies, new and untraditional market entrants, and technological use will force businesses to adapt their risk management practices in such a way that not only protects the current data of companies, but is predictive. Although GRC software solutions won't be able to stop all data breaches and attacks, it can provide the means to substantiate that data privacy is effectively managed, and managed well.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.