Among the objectives of the General Data Protection Regulation (GDPR) is the elevation of data security as a key focus for businesses developing new products, services, systems and processes.
The concept of ‘Privacy by Design’ is not new but one that needs to be viewed with renewed interest as organisations work towards improving their information security posture before May 2018. By increasing awareness of privacy and data protection, Privacy by Design can help to mitigate the risk of suffering a serious data breach, build customer and partner confidence and, by helping to identify problems earlier in the development cycle, ensure that concerns are simpler and less costly to address.
What is a DPIA?
The need to familiarise your organisation with the Information Commissioner’s Office’s code of practice on Data Privacy Impact Assessments (DPIAs) is one of 12 recommended steps to help prepare for the GDPR. DPIAs, also known as PIAs, are designed to facilitate principle of Privacy by Design by helping to ensure that data and security issues are considered from the outset of projects.
‘An effective PIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.’ ICO, PIA Code of Practice
A DPIA should include a description of processing operations, assess the necessity and proportionality of the processing operations, evaluate risks to the rights and freedoms of individuals, and identify appropriate measures to address potential vulnerabilities. Typical questions that need to be considered as part of a DPIA/PIA include
Is personal data processed fairly and lawfully?
Are appropriate technical and organisational measures in place to protect personal data against unauthorised processing, accidental loss and destruction?
Will personal data be transferred outside of the EEA?
Is a process in place to respond to subject access requests?
When should a DPIA be conducted?
To adhere to the requirements of Article 35 of the GDPR, a DPIA should be undertaken in situations where data processing is likely to result in high risk to individuals. This includes the outset of new business projects, instances when new technologies are deployed (such as during infrastructure upgrades) and where special categories of data are processed on a large scale.
How to get more information and advice
For organisations that need support addressing the requirements of the GDPR, including conducting Data Protection Impact Assessments and introducing the appropriate safeguards to protect personal data, Redscan’s knowledgeable and friendly experts can help.
Our GDPR services include cyber security consultancy, penetration testing, Cyber Essentials certification and managed detection and response (MDR). To help address the security challenges of cloud adoption, many organisations are now turning to a managed cloud security service to provide an extra layer of protection.