How to Conduct a GDPR Risk Assessment
So, you have started your own company that involves gathering personal data from data subjects (customers from the EU). Question is what do you need to do to be GDPR compliant. One of the first things you need to get done after getting your company together is to take a GDPR risk assessment to see where there might be any gaps that could be a concern in protecting your customer’s data and protecting you from a breach or audit.
What Is A GDPR Risk Assessment?
A GDPR Risk Assessment is the process of identifying, analyzing and evaluating threats and vulnerabilities. In an information security context, risk assessments are crucial for working out the ways cyber criminals and employees might compromise sensitive information.
The best practices for information security risk assessments are outlined in ISO 27001, the international standard for an ISMS (information security management system).
In short, GDPR wants you to take a GAP Analysis, which is a method of assessing the differences in performance between a business' information systems or software applications to determine whether business requirements are being met and, if not, what steps should be taken to ensure they are met successfully. By doing so and filling in those identified gaps can you say that your company is GDPR compliant. So the big question is, how do you go about taking one and how do you prepare for one?
Is a GDPR Risk Analysis Necessary?
If the fact that a Risk Assessment is required by GDPR is not enough to motivate you to begin the process, one should bear in mind that the penalties for even a small breach can quickly become staggering. GDPR is one of the world's strictest security and privacy laws that imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the European Union. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros. So not only will performing a risk assessment give you an opportunity to identify potential risks and vulnerabilities, but the risk analysis will also allow you to take action to safeguard personal data, which can protect your organization from severe fines and even jail time for individuals responsible.
Steps to Ensure GDPR Compliance
Before taking the risk assessment, here’s a list of terms you should know and a quick checklist of things you should do, so when you do take the risk assessment, you’d be in a good position and not feel like you are severely lacking.
Data Subject – a natural person whose personal data is processed by a controller or processor.
Data Controller – the entity that determines the purposes, conditions, and means of the processing of personal data.
Personal Data – any information related to a natural person or Data Subject that can be used to directly or indirectly identify the person.
Data Processor – the entity that processes data on behalf of the Data Controller.
Data Protection Officers – the GDPR will require some organizations to designate a Data Protection Officer (DPO). Organizations requiring DPOs include public authorities, organizations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organizations that process what is currently known as “sensitive personal data” on a large scale.
How to Become GDPR Compliant
Step 1: First thing to do is to update or create your privacy notices on your site that explains to the data subject (customer/client) what your company collects, why, and how the data is stored and used, and to ensure the data subject's acceptance (opt in or out) of the said data actions that are being taken.
Step 2: Next, you should identify all personal data that you are storing or planning to store, including where and how it is shared. Remove any personal data you do not require and ensure that all personal information is kept secure and only used for the purpose for which it is collected for. Once this data has been discovered, action can be taken. The initial step should be to reduce the workload. Redundant, obsolete, and trivial data (ROT) should be deleted. This will cut associated storage costs and liabilities.
Step 3: The GDPR applies to external email and other communications as much as it does to internal processes. Sharing of personal data such as name, address, age etc. needs to be done securely. Use a secure email to send or receive data from clients or other external contacts. This is where you hopefully created your data security strategy using VPNs, DLP Solutions, and encrypting sensitive data if you haven’t already.
Step 4: This one is just common sense. One of the best practices is having a plan for dealing with a data breach. This should go into detail what processes you have in place to detect a breach, stop the breach, prevent further breaches, and to communicate the breach to all affected individuals (and the regulator) within 72 hours.
Step 5: Something else to have is the means to delete customer data upon request (customers have the right to demand that all their personal data be deleted--within certain parameters), also be able to deliver what data you have on the customer within 30 days, if they request it from your company in electronic form.
Step 6: Last, but not least, designate a Data Protection Officer to be responsible for checking regulation, implementing and documenting processes, and ensuring adherence. This is the most important step in regard to if the worst happens. The DPO should have the ability to produce reports to clearly show regulators that:
-You know what personal data you have and where it’s located, across your data landscape.
-You properly manage the process for getting consent from individuals who are involved.
-You can prove how personal data is used, who uses it, and for what purpose.
-You have the appropriate processes in place to manage things like the right to be forgotten, data breach notifications and more.
REMINDER: An assessment is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals. A DPIA (Data Protection Impact Assessment) is required at least in the following cases:
- A systematic and extensive evaluation of the personal aspects of an individual, including profiling
- Processing of sensitive data on a large scale
- Systematic monitoring of public areas on a large scale
Data Protection Impact Assessment required
A bank screening its customers against a credit reference database; a hospital about to implement a new health information database with patients’ health data; a bus operator about to implement on-board cameras to monitor drivers’ and passengers’ behaviour; new tracking software on a mobile device; new method of charging credit cards or scanning ID.
Data Protection Impaction Assessment not required
A community doctor processing personal data of his patients. In that case, there is no need for a DPIA since the processing by the community doctors isn’t done on a large scale in cases where the number of patients is limited.