The GDPR focuses on two levels of risk – risk and high risk. This means that, in GDPR world, riskless data processing activities don’t exist.
When it became clear that the EU GDPR took a risk-based, rather than a conventional systems tick-box approach to data privacy, the collective sigh of relief amongst data privacy specialists was deafening. Conventional compliance, although comprehensive in scope, is by nature slow, expensive and ignores the issue of risk priority. It puts processes above outcome; the “how” above the “why”. There’s always a trade off between speed and completeness, but in the blink-and-you’ll-miss-it age of digital acceleration, the risk-based approach is the common sense approach.
It means that although the rules are consistent for every organisation affected by it, it’s not prescriptive. It focuses on the risk, which is different for every organisation and allows them to focus resources on activities that pose a high risk, rather than every data processing activity.
But it’s not without its own complexities. The GDPR focuses on two levels of risk – risk and high risk. This means that, in GDPR world, riskless data processing activities don’t exist. And it’s up to data controllers to decide what’s risky and what isn’t, or face the penalties.
Luckily, there is guidance. It covers proportionality, which is what you’d expect. Risk is a combination of two factors: the likelihood of something happening, and the severity of the results. We always look at risk in the context of our business activities, so what’s right for one organisation won’t be right for another.
First steps to risk-based compliance
When you review your operations, you’ll most likely already have a feel for which of your data processing activities are high risk and which are less risky. High risk activities oblige you to act, but true low risk activities are exempt from further action.
It’s good practice to use a structured approach that gives your experts the scope to prioritise risks. Such a structure doesn’t need to be rocket science, and could look something like this:
- Define risk
- Collect and analyse information
- Identify high risks
- Prioritise high risk
- Plan mitigation (DPA)
- Measure success
- Improve process
Superhigh risk activities
Certain activities are inherently high risk so examine how you:
Mitigate high level risks through the DPIA
If you’ve identified a data processing activity that’s likely to be high risk, you’re obliged by the GDPR to carry out a data protection impact assessment (DPIA) before carrying out that activity.
A DPIA is similar to a Privacy Impact Assessment so you may already have much of the framework in place. Although the GDPR isn’t prescriptive about how you undertake a DPIA, it does require you to “evaluate, in particular, the origin, nature, particularity and severity” of the “risk to the rights and freedoms of natural persons” before processing. The DPIA “should include the measures, safeguards and mechanisms envisaged for mitigating” the risks you’ve identified.
Remember, you only need to carry out a DPIA when you’ve identified a high-risk activity. This is good news for beleaguered data controllers.
Wale Omolere is an experienced Cyber Security instructor and practitioner with over 18 years’ experience working in Consulting, Oil & Gas, Telecommunication, Automobile, Asset & Wealth Management. He has a background in computer science, coupled with direct experience in all types of computing and networking platforms. He provides Cyber security advisory services to business, as well as hands-on management of IT systems, projects, and operations. He has led the deployment of various cyber security technologies, developing processes for managing and monitoring security incidents.