How a Data Protection Impact Assessment can work for your business.
The first of September marked 185 working days to the deadline for GDPR. By now most organisations should be well on their way to identifying, if not implementing their solutions.
By now you should have completed your data exploration and be getting ready to do your Data Protection Impact Assessment (DPIA). This is mandated by the GDPR and it is therefore important. Not least failure to conduct a DPIA could result in a fine of up to 2% of global turnover or up to €10m not a risk worth taking.
Simply put, the DPIA is nothing more than a risk assessment. I’m sure most businesses are used to assessing their risks, be it formal or just a thought process. The DPIA has to be formal. However, that doesn’t mean it has to be complex but it does have a slightly different twist. You need to assess the risk of holding personal data from the point of view of the data subject. This in effect means if the risks you identify were to be realised what would be the potential effect on the data subject. That will take a little bit of thought. When considering how important the risk is and therefore what steps will be put in place to minimise it, the effect on the data subject will need to be considered.
The process is not as daunting as it might first seem. If you have completed your data exploration you have gone a long way to prepare one of the major inputs into the assessment. You will know what information you hold, why you hold it and how it flows into your organisation, inside the organisation and out again.
The next stage is to identify the risks your organisation faces and how this relates to the data you hold. Don’t forget in assessing these to consider what the effect would be for the data subject if the risks materialised.
Once you understand the risks and the impacts on your organisation and the data subject, you can assess what measures you will put in place to reduce them. The measures you put in place should be proportional to the risks you have identified. This is important, there is no ‘one size fits all’. If you have a limited budget spend it on the areas that you see as appropriate not what the latest advertisements say will take away all your problems. Sadly, many of these solutions aren’t the silver bullet.
It is important that the DPIA is ‘signed off’ at the highest level of the organisation. This will demonstrate that the organisation is completely ‘on board’ with the proposed approach. Then it is just a matter of integrating the approach in the organisation.
As a tip to getting adoption of the proposed approach. I would recommend that you do your data discovery exercise by looking at your processes. By doing this, you will understand not only your data, but also the way your organisation really works. Whilst this may take a little bit of time up front, it will allow you to consider these processes as you define solutions for privacy of data. Too often, we see organisations implement security and data protection processes on top of existing process. This adds overhead to those following the process and invariably they find workarounds, which can end up destroying the original purpose. Take a look at some of the recent findings of the Information Commissioner and you will find some good examples.
Finally, it may be hard, but try to look at doing this assessment as a business improvement exercise not compliance. That way you may be able to meet the requirements of GDPR and achieve some benefits to your organisation.
If we can be of any help, please contact us.