Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Create a Data Protection Impact Assessment for GDPR

DZone's Guide to

Create a Data Protection Impact Assessment for GDPR

To comply with the GDPR, many organizations will have to conduct a Data Protection Impact Assessment, which can be complicated, and require planning and investigation.

· Security Zone
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

xMatters is running a four-part blog series as a compliance checklist for the European Union (EU) - General Data Protection Regulation (GDPR). Part 1 was about a Data Protection Officer.

Part 2: To comply with the GDPR, many organizations will have to conduct a Data Protection Impact Assessment. A Data Protection Impact Assessment is complicated, and it requires planning and investigation. Consult your Data Protection Officer, if you have one.

If you buy parts for your car at an auto parts store, you have to know not more than the make, model, and year. At a minimum, you have to know how many cylinders, the size of the engine, and whether it's a hybrid. Well, you have to know how your organization processes data too before you know whether you need to run a Data Protection Impact Assessment (DPIA).

According to the GDPR, the supervisory authority will make a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment publicly available.

2. Apply a Risk-Based Approach to the Data Protection Impact Assessment

You may also need to run a DPIA if the nature, scope, context, and purposes of your data processing place high risk to the people's rights and freedoms. If so, before data processing can commence, the controller must produce an assessment of the impact on the protection of personal data.

Who exactly determines whether your organization's processing presents a high risk to the individuals' rights and freedoms? The text of the GDPR is not specific, so each organization will have to decide for itself.

Current legislation requires indiscriminate general notifications and doesn't have an enforcement mechanism even for those. The GDPR replaces those notification requirements with more effective procedures and mechanisms which focus on processing operations which pose the greatest risk to the rights and freedoms of individuals. The GDPR also includes some hefty fines, so pay attention to risk avoidance.

A DPIA may reveal that the controller cannot mitigate high risk to personal information with the available technology and budget. In that case, the GDPR recommends (but does not mandate) consulting with the supervisory authority before processing.

Who exactly determines whether your organization's processing presents a high risk to the individuals' rights and freedoms?

3. Know What's in a Data Protection Impact Assessment

There are several elements the assessment has to include. For instance:

  • Clearly describe the logistics and purposes of the proposed processing operations.
  • Assess the size of the processing operations against its objectives.
  • Consider the risks to the rights and freedoms of data subjects, and include an assessment.
  • Explain how you plan to address the risks, including safeguards and security measures to protect personal data and demonstrate compliance with the GDPR.

4. Follow the Controller's Guidance

First, let's define our terms. A controller sets the direction for processing and data protection and takes responsibility for it. A controller determines the purpose for which data is processed. The data processor stores and/or processes data on behalf of the data controller.

5. Use the Data Protection Impact Assessment When Updating Procedures

So you want to craft new procedures or update your existing privacy policy. To ensure compliance with GDPR and to maintain a consistent approach to privacy protection, follow the document that your own most trusted data privacy officer has drafted.

Up Next in Part 3: Privacy Policy

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
security ,gdpr ,security compliance ,data security

Published at DZone with permission of Robert Hawk, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}