Risk-based approach and impact assessment Flashcards
(17 cards)
The risk-based approach and the accountability principle
The accountability principle enshrines a risk-based approach (risk analysis and management)
It is up to the controller to identify risks that are connected to the processing activities that he/she carries out.
The risk-based approach and the accountability principle:
General obligation to manage risks
ART. 32 (1) GDPR
The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
Taking into account:
- the state of the art,
- the costs of implementation
- the nature, scope, context and purposes of processing
- the risk of varying likelihood and severity for the rights and freedoms of natural persons,
The risk-based approach and the accountability principle:
Measures
- Pseudonymisation
- The ability to restore the availability and access to personal data in a timely manner
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- Regularly testing, assessing and evaluating the effectiveness of technical and organisational measures adopted
What does “risk” mean?
RISK = EVENT + CONSEQUENCES (estimation in terms of SEVERITY and LIKELIHOOD)
GDPR: Recital no. 75
every negative impact of data processing on data subjects’ rights and freedoms which could lead to physical, material or non-material damage
e.g.
- discrimination,
- identity theft or fraud,
- financial loss,
- damage to the reputation,
- loss of confidentiality of personal data protected by professional secrecy,
- unauthorised reversal of pseudonymisation,
- any other significant economic or social disadvantage;
- data subjects deprived of their rights and freedoms or prevented from exercising control over their personal data
Extended notion: risk of being profiled, of having one’s information shared with third parties, of being monitored for commercial purposes, etc.
All consequences are not related to unlawful forms of processing
- usually legitimised by data subjects’ consent
Where do risks come from?
Art. 32, par. 2, GDPR.
Accidental :
- Data destruction/data loss/data alteration
- unauthorized disclosure/access to personal data
Personal data breach:
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
How to manage risks
RISK ANALYSIS and RISK MANAGEMENT
RISK ANALYSIS (Recital 76)
- Identification of possible risks involved by processing activities
- Assessment of likelihood (risk-event)
- Assessment of severity (event-consequences)
- Evaluation of whether the processing activities result in a high risk
Objective assessment:
by reference to the
- nature,
- scope,
- context
- purposes
of the processing
RISK MANAGEMENT
implementation of appropriate technical and organisational measures to ensure a level of security appropriate to the risk».
How to manage risks.
Liability
The liability model laid down in the GDPR aims to prevent damages.
Art. 33, 34 GDPR
A specific procedure to deal with data breaches:
- notification to Supervisory Authority
- communication to data subjects involved
- Data controller liability for not implementing “technical and organizational measures” to address the risks referred to in the Regulation (see Art. 24: Responsibility of the controller)
- Administrative fines (Art. 83 para. 4 GPDR) + liability for damages if risks materialize into an impairment of rights and freedoms (Art. 82)
- Security obligation is a permanent obligation
How to manage risks
General guidance
Recital 77:
Guidance could be provided by
- approved codes of conduct,
- approved certifications, guidelines provided by the Board or indications provided by a data protection officer
- Supervisory Authorities (white and black lists)
on
- implementation of appropriate measures
- demonstration of compliance
by the controller or the processor,
especially as regards
- the identification of the risk related to the processing,
- their assessment in terms of origin, nature, likelihood and severity,
- the identification of best practices to mitigate the risk,
How to manage risks:
Three steps
a) analysis of the process, product or activity that involve personal data processing;
b) assessment of the risk (types of risks, likelihood, severity);
c) adoption of appropriate measures to exclude or mitigate the risk.
How to manage risks:
Risk assessment
Tier 1: a first general and non-formalized risk assessment (Articles 24 and 35, para 1, GDPR)
Tier 2: Formal Data Protection Impact Assessment [DPIA] (if mandatory);
Tier 3: Prior consultation of Supervisory Authorities (if requested)
Data Protection Impact Assessment (DPIA)
Goal and Function
The Data Protection Impact Assessment (DPIA) evaluates
the origin, nature, likelihood, and severity of the data protection risk.
It describes :
- procedures to manage risks
- measures that can be adopted
It is a preventive data protection instrument.
The assessment is carried out in two steps:
1) the controller carries out the internal assessment;
2) upon identification of a high risk, the Supervisory Authority potentially needs to be consulted.
Data Protection Impact Assessment (DPIA):
when is it mandatory?
Art. 35, para. 1:
HIGH RISK
If a type of data processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of individuals
- Using of new technologies can lead to a higher risk.
- formalized and systematic study of processing situations that entail new risks
- useful when something new is introduced
- it can deal with multiple processing operations (only one DPIA is needed!)
- more DPIAs that refer to different use of a technology product
Art. 35 para. 3:
Non-exhaustive list of processing operations
considered at high risk and for which a prior DPIA is necessary
- profiling;
- processing of special categories of data (Art. 9 GDPR),
- personal data relating to criminal convictions and offences (Art. 10 GDPR) on a large scale;
- Systematic monitoring of publicly accessible areas on a large scale.
Other cases in which processing can imply a high risk (controller’s responsibility, the DPO’s advice is of utmost importance!)
a) WP29 Guidelines criteria (2017):
examples
- Evaluation or scoring of people for various purposes
- Data concerning vulnerable data subjects
- Innovative use or applying new technological or organisational solutions
b) BLACK AND WHITE LISTS OF SUPERVISORY AUTHORITIES:
Art. 35 para. 4, 5
4 - The s.a. shall establish and make public a list of the kind of processing operations which are subject to the requirement for a DPIA (Black list- mandatory)
5. - The s.a. may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required (White list-optional)
Data Protection Impact Assessment (DPIA):
when is it mandatory?
Exemption
EXEMPTION (Art. 35 para. 10)
Three cumulative conditions
1) Processing is based on
- Art. 6 (c) «necessary for compliance with a legal obligation to which the controller is subject»
- Art. 6 (e) «necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller»
2) National or Union Law
that provides such an obligation/assigns such a task regulates the specific data processing operation(s)involved
3) A DPIAhas already been carried out as part of a general impact assessment in the context of the adoption of that legal basis
Data Protection Impact Assessment (DPIA): Minimum requirements
Art. 35 para. 7
1) a systematic description of
- the envisaged processing operations
- the purposes of the processing,
- the legitimate interest pursued by the controller;
2) an assessment of
- the necessity
- the proportionality
of the processing operations in relation to the purposes;
3) an assessment of the risks to
- the rights
- the freedoms
of data subjects;
4) the measures envisaged to address the risks
Sample see DPC (Irish supervisory Authority: sample)
Art. 35 para. 2
The controller shall seek the advice of the DPO
Data Protection Impact Assessment (DPIA):
Processing with a high risk
The data controller may decide whether to
- start the data processing (having taken appropriate measures to sufficiently mitigate the risk)
- if the risk is still high to consult the competent supervisory authority for guidance (obligation to consult the S.A.).
The competent Supervisory Authority may:
- issue a written advice if identifies an infringement of GDPR
- period up to eight weeks (may be extended by six weeks, if explains reasons underlying the delay),
- No answer does not imply that the S.A. lose their powers to prohibit processing or impose sanctions on controllers!
Risk-based approach and the accountability principle
It is up to the controller to
- identify and assess risks,
- to choose and implement appropriate technical and organizational measures according to the specific processing activities that they want to carry out
- DPIA as an optional and advisable tool
(does not diminish the contoller obligation to implement measures to manage risks of data subjects)
DPIA can help controllers to demonstrate that their processing activities comply with the GDPR, including with art. 32.
Permanent obligation:
a) Controllers must verify whether measures must be updated when changes occur in risks.
- New processing tools may require a DPIA!
Permanent obligation: Controllers must verify whether measures must be updated when changes occur in risks. New processing tools may require a DPIA!
DPIA can help controllers to demonstrate that their processing activities comply with the GDPR, including with art. 32.
