The burden of compliance with GDPR is causing concern to many organizations. At the heart of the new regulation is a risk-based approach that, if properly implemented, can make for proportionate and effective compliance programmes that make best use of your available resources.
This fourth post in our GDPR blog series explores a pragmatic risk-based approach to GDPR compliance and examines some aspects of the GDPR that can help to focus your activities to drive the best returns on your compliance investment.
There are four aspects of GDPR that are particularly helpful in guiding a risk-based approach:
• Article 30 – Records of processing activities
• Article 25 – Data protection by design and default
• Article 35 – Data protection Impact Assessment
• Article 32 – Security of processing
Here’s how I believe they fit together in three steps to a risk-based approach to GDPR:
A. Build a risk register
Article 30 requires data controllers and processors to maintain a record of processing activities (you can read more about it in my post on Article 30 here). Do this systematically to build a comprehensive record of processing activities by adding new processing activities as they are designed. This will create a strong foundation for assessing the risks to personal data in your organization and is a great starting point for compliance with both Article 25 – Data Protection by Default and by Design and Article 35 – Data Protection Impact Assessments.
Both Article 25 and Article 35 include an element of risk assessment and risk control through technical and organizational measures. Therefore, the record of processing activities you build for Article 30 can also become your risk register. This will enable you to capture data protection risks, the outcome of your risk assessments, and the technical and organizational controls that are implemented to mitigate the identified risks centrally
B. Assess the risk
Compliance with Article 25 requires you to assess and document the risks associated with processing activities (ideally in your central register of processing activities). Risks are typically rated as high, medium or low, based on a combination of the likelihood of the risk occurring and the severity of the consequences for the rights and freedoms of natural persons.
Article 35 gives guidance on what constitutes high-risk processing activities and mandates a Data Protection Impact Assessment (DPIA) prior to the processing where high-risk activities are identified.
Both the UK Information Commissioner’s Office and the Article 29 Data Protection Working Party provide useful guidance about the conduct of DPIAs. Whatever methodology you choose to follow, it is vital to ensure that you have an adequate record of your DPIA risk assessment process and outcomes.
C. Implement controls
Risk assessment is an ongoing procedure that reflects the dynamic technical environment where personal data is typically processed. As risks are identified it is important to ensure that proportionate and effective controls are put in place to mitigate them. Article 32 gives guidance on the sort of technical and organizational measures that may be required, depending on the level of risk identified. Again, the process of determining and implementing technical and organizational measures should be clearly documented and linked to the central risk register you will build to comply with Article 30.
Enabling a risk-based approach to data protection requires the systematic application of technical and procedural measures, as described previously. But the success of these measures is likely to rely on building effective human networks within your organization as well as external parties. Below is a sample description of key roles necessary for this change:
Legal / IT / Risk / Audit
GDPR has both legal and technical dimensions. Understanding and interpreting the law and management of the legal risk is likely a Legal or Compliance team responsibility. However, the IT and IT Security organizations are key enablers of the technical and organizational measures that can be implemented to protect data.
It’s also likely that your IT Security organization is already complying with, or at least guided by, standards such as ISO27001 which already aligns well with many GDPR requirements.
Risk and Audit departments are experts in risk management, and are often informed by standards such as ISO31000. These standards can advise on building risk registers, assessing, mitigating, and monitoring risk.
It is likely that much processing activity is being conducted by external data processors on behalf of your organization. In these cases, the data controller is very much still accountable for Data Protection Impact Assessments. The most effective way to manage the risk assessment and oversight of the processing done by third parties is through the use of a third-party risk management tool. Check if your IT department is already using an IT Vendor Risk Management tool.
It’s vital that all employees understand their role in protecting others’ personal data. Anyone involved in the design, implementation or management of processes and systems that handle personal data can pose a risk. It’s important they understand and comply with the requirement for data protection by design and default and data privacy impact assessments. Make this part of your targeted GDPR training campaign.
Don’t reinvent the wheel
There’s a lot to do and not long to go before GDPR comes into force. Building entirely new systems and processes from scratch can be both costly and time consuming. SAI Global’s best practice based out-of-the-box GDPR software solution and GDPR Learning enables a risk-based approach to GDPR compliance that can be quickly and easily implemented.