xMatters is running a four-part blog series as a compliance checklist for the European Union (EU) - General Data Protection Regulation (GDPR). Part 1 was about a Data Protection Officer.
Part 2: To comply with the GDPR, many organizations will have to conduct a Data Protection Impact Assessment. A Data Protection Impact Assessment is complicated, and it requires planning and investigation. Consult your Data Protection Officer, if you have one.
If you buy parts for your car at an auto parts store, you have to know not more than the make, model, and year. At a minimum, you have to know how many cylinders, the size of the engine, and whether it's a hybrid. Well, you have to know how your organization processes data too before you know whether you need to run a Data Protection Impact Assessment (DPIA).
According to the GDPR, the supervisory authority will make a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment publicly available.
2. Apply a Risk-Based Approach to the Data Protection Impact Assessment
You may also need to run a DPIA if the nature, scope, context, and purposes of your data processing place high risk to the people's rights and freedoms. If so, before data processing can commence, the controller must produce an assessment of the impact on the protection of personal data.
Who exactly determines whether your organization's processing presents a high risk to the individuals' rights and freedoms? The text of the GDPR is not specific, so each organization will have to decide for itself.
Current legislation requires indiscriminate general notifications and doesn't have an enforcement mechanism even for those. The GDPR replaces those notification requirements with more effective procedures and mechanisms which focus on processing operations which pose the greatest risk to the rights and freedoms of individuals. The GDPR also includes some hefty fines, so pay attention to risk avoidance.
A DPIA may reveal that the controller cannot mitigate high risk to personal information with the available technology and budget. In that case, the GDPR recommends (but does not mandate) consulting with the supervisory authority before processing.
Who exactly determines whether your organization's processing presents a high risk to the individuals' rights and freedoms?
3. Know What's in a Data Protection Impact Assessment
There are several elements the assessment has to include. For instance:
- Clearly describe the logistics and purposes of the proposed processing operations.
- Assess the size of the processing operations against its objectives.
- Consider the risks to the rights and freedoms of data subjects, and include an assessment.
- Explain how you plan to address the risks, including safeguards and security measures to protect personal data and demonstrate compliance with the GDPR.
4. Follow the Controller's Guidance
First, let's define our terms. A controller sets the direction for processing and data protection and takes responsibility for it. A controller determines the purpose for which data is processed. The data processor stores and/or processes data on behalf of the data controller.
5. Use the Data Protection Impact Assessment When Updating Procedures