GDPR’s Data Protection Impact Assessment and its Implications for Organizations

A data breach may be viewed as the accidental or unlawful destruction, loss, alteration or unauthorized disclosure or, access to data . Over the years, the security broadcasts are generally replete with numerous incidences of data breaches across the globe. Therefore, it is little surprise that 1 in 4 business have experienced this type of incident . The significant financial impact is also unmistakable as the total average cost is estimated to be 3.62 million dollars, which equates to in excess of$300,000 dollars .

The frequency and costly consequences of data breaches have in turn resulted in a greater demand for privacy and security. As a result, organizations are being called to account through various security and compliance measures. One such compliance measures, is the regulatory requirements under the EU General Data Protection Regulation (GDPR), which will come into operation on May 25, 2018. Therefore, organizations need to, if they have not already, begin to prepare their people and internal processes to meet this compliance requirement on or before May 25, 2018.

The GDPR outlines detailed requirements to assist an organization in protecting data and minimizing the risk of breach of privacy. For instance, the GDPR requires data controllers to conduct Data Protection Impact Assessments (DPIAs) as a means of minimizing risks to data subjects, particularly where privacy breach risks are high.

This increased emphasis on the protection of data will be beneficial to both customers and the organizations. The customers will experience increased confidence in organizations using and safeguarding their personal data. The benefits to an organization includes:

• Reduced financial losses;
• Reduction in data breach risk;
• Increased compliance with industry best practices;
• Improved security posture; and
• Minimized risk of damage to reputation.
• Minimizing Risk of Data Breach

In order to manage business risk, an impact assessment is normally used to assist an organization in its decision-making process. The impact assessment helps to identify:

• The high risks areas;
• The impact on the business if certain risk events occur; and
• Measures to be adopted to prevent the risk event from occurring, and if the risk event occur.

Appropriately, several industries have integrated impact assessment as part of their business to help provide insight into vulnerable areas of operations. The underlying principles of the DPIA is no different, as it seeks to ensure that organizations effectively manage data privacy risks.

Despite the potential benefits from GDPR, including DPIA, many security analysts have forecasted challenges in the implementation of the GDPR. For instance, Forrester Research has made a startling prediction that 80% of firms affected by GDPR will fail to comply with the regulation by May 2018 deadline . It further stated that 50% of these non-compliant firms will intentionally not comply and the other 50% are trying to comply but will fail. It is argued therefore that those trying but will fail is linked to several factors including, the limited knowledge of the ambit of GDPR and the access to experienced professionals to guide them through the stages of compliance.

Given the security and compliance landscape, it is forecasted that privacy impact assessment will become entrenched and evolve into an industry standard for security management in organizations over the next few years, thereby extending the reach of the current legislative requirement.

Based on these developments, the purpose of this paper therefore is to engage in the dialogue to consider some of the typical questions an organization may have in relation to this new compliance requirement, such as:

• What is the DPIA?
• When is the DPIA required?
• Why is the DPIA necessary? and
• What are some of the considerations in conducting a DPIA?

What is the Scope of GDPR?

The scope of GDPR extends beyond the borders of the European Union (EU). It applies to the processing of personal data whether automated or not, where these activities are in relation to:

• Organizations established in the EU; and
• Organizations not established in the EU,

If they:

• Offer goods or services (free or paid); or
• The monitor the behavior of data subjects that takes place in the EU .

This means that a global entity and any organization with an online presence will likely fall under the ambit of these rules. Consequently, there are certain essential requirements that these organizations involved in the processing of personal data must adhere to, as

indicated in Table 1 . These include the provision of consent and conducting a DPIA under certain circumstances.

Table 1: Essential Requirements under GDPR

Rules	Description
Consent	(1) Consent requests must be clear and intelligible, and distinguishable from other matters.(2) The right to withdraw consent must be also clear
Rights of Data Subjects	Provides for extended rights such as: Timely mandatory notification of breach Right to access to information on the nature and form of personal data being processed Right to be forgotten
DPIA	Mandatory where the type of processing is likely to result in a high risk to the rights and freedoms of a natural person/data subjects
Penalties	An organization in breach may be fined up to 4% of annual global turnover or ?20 million

What is the DPIA?

The DPIA is a diagnostic tool or process that provides the decision-makers with information relating to personal data protection risks and vulnerabilities. For this reason, the main purpose of the DPIA is to assist in identifying and mitigating against personal data protection risks arising from the operations and activities of an organization.

When is the DPIA required?

A DPIA is required when the type of processing (i.e. the use, collection, storage, etc) of the personal data is likely to result in a high risk to the rights and freedoms of a natural person. In other words, where there is a likely risk to privacy and security of the personal data when it being used in daily operations, for example, a DPIA becomes necessary.

A DPIA is also required when:

1) processing on a large scale of special categories of data, such as:

a. Those revealing

• Racial or ethnic origin
• Political opinion
• Religious and philosophical beliefs
• Trade union membership

b. Those processing

• Genetic data
• Biometric data
• Health related data
• Data relating to a person sex life or sexual orientation

2) processing on a large scale of personal data relating to criminal convictions and offences;

3) systematic and extensive evaluation of personal aspects relation to a natural person, based on automatic processing, including profiling of the person;

4) systematic monitoring of publicly accessible information.

In summary, DPIA is required where the processing of personal data is likely to infringe on the fundamental right of protection of that personal data. Therefore, whenever organization use, stores, collects or records personal data and there is a high risk that these activities will lead to reduced protection or breach of personal data, a DPIA is required. The GDPR explicitly mentions certain high-risk activities such as the use of new technologies and the processing of certain types of data.

Things to Consider for DPIA

Undertaking a DPIA will involve determining the impact of processing activities will have on personal data security and privacy. Therefore, the primary goal of the DPIA is to determine the specific type of effect the organization business processes will have on safeguarding personal data.

Article 35 of the GDPR outlines some of the basic elements of what an assessment should include, such as:

• Description of the envisaged processing operations;
• The purposes of the processing including the legitimate interests pursued;
• An assessment of the necessity and proportionality of the processing operations in relation to the purpose;
• An assessment of the risks to the rights and freedoms of the data subjects;
• The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure protection of personal data.

Moving Forward

The protection of personal data is a fundamental right of any person. As a result, organizations must take steps to ensure that the risk of unauthorized and unintentional data breach is minimized.

Some of the key considerations for an organization include:

• Obtaining and including qualified professional across the legal, security and business domains to assist in the implementation of GDPR related project;
• Developing awareness of GDPR and its requirements among all categories of staff, especially those who will be processing personal data (via automated and non-automated means);
• Conducting detailed assessment of how personal data is used and processed in the organization and across the supply chain to identify strengths, vulnerabilities and risks;
• Developing strategies and practices to response to these strengths, vulnerabilities and risks;
• Adopting and refining a risk-based approach to the management of operations, including the processing of personal data; and
• Seeking the advice of the data protection officer, even when not in doubt.

In closing, conducting the DPIA is one compliance measure that global organizations, in particular are required to undertake to protect the rights and freedoms of data subjects by safeguarding their personal data from accidental or unlawful destruction, loss, alteration or unauthorized disclosure or, access to data. This move should help to reduce vulnerabilities and improve security controls in these organizations. As the security landscape continues to evolve, strategies to combat cybercriminals and improve controls have become a necessity, and not only a legislative mandate.

About Wilson Consulting Group

Wilson Consulting Group is an innovative global cybersecurity consulting firm headquartered in Washington D.C., with a European office in London, England.

We specialize in governance, cybersecurity, risk, and compliance consulting services, providing our clients with strategic guidance, technical solutions, and business advice to best serve their individual needs. We have the capacity to assist you in meeting your security mandate. Further information is available at https://www.wilsoncgrp.com