How to Adopt the GDPR Risk Based Approach
Much has been discussed about the new General Data Protection Regulation (GDPR) since its release in April 2016. Since the impact of the regulation is far fetching and is not restricted to any particular sector, it will affect any organization treating Personally Identifiable Information in one way or another, regardless of the sector in which the organization operates. The regulation will clearly impact financial services, but also sectors such as healthcare, telecom, retail, education, and many more. The common theme in most of the blogs and articles on the subject is the core idea that data and data process must be identified and categorized. I have previously written on the best approach to dynamically build this view of all data impacted by GDPR. And today, I would like to discuss another key aspect of the regulation: the focus on the GDPR Risk Based Approach.
The ultimate purpose of the regulation is to protect an individual’s rights and hence their personally identifiable information (PII). Protecting individual’s data is not only about understanding what data the organization holds and for what purpose, but also about understanding and evaluating the risks individuals are exposed to due to potential data breaches. Article 24 of the regulation lays the foundation of the risk based approach and the inherent responsibilities of the controller:
Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation
The risk is clearly defined as a combination of the likelihood of occurrence and the severity of the impact on the individual’s rights and freedoms associated with a data processing activity. It is worth noting that the purpose of a Risk Based Approach is not to eliminate all risk, but rather to evaluate the potential risks and use mitigation techniques to control and minimize potential impacts. This risk evaluation and mitigation process is an inherent part of privacy by design.
What constitutes a risk as defined in the GDPR regulation? On this topic, the regulation provides some guidelines through examples in Recital 75. At a high level, the regulations defines risk as physical, material or non-material damage that could result from any particular data process. This can include discrimination, identity theft, fraud, reputational damage, loss of data confidentiality, unauthorized reversal of pseudonymisation, or any other significant economic or social disadvantage.
The GDPR guidelines only focus on two levels or risk: Risk and High Risk. Inherent in this approach is the view that all data processing activities have at least some level of risk, ie there is no such thing as a riskless data activity.
For data processing activities that have been deemed High Risk, the controller will be required to conduct full scale Data Protection Impact Assessments (DPIA). Article 35 of the regulation outlines some minimum requirements for a DPIA :
- Systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
- An assessment of the necessity and proportionality of the processing operations in relation to the purposes
- An assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1
- The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
Once you’ve identified the risk levels, the controller must use mitigation techniques to control these risks. In the case of high risk data processing activities, the DPIA must include these mitigation processes. And, where mitigation is not possible, the organization will be required to refer to the local Data Protection Authorities before implementing the relevant activity. Other data activities that do not represent a high risk are exempt from the DPIA requirement but must still be monitored, controlled, and mitigated where possible.
Compliance with the GDPR Risk Based Approach will require controllers to closely monitor the risk levels of their data processing activities. A compliant GDPR solution should enable controllers to monitor a matrix of at least the following KPI’s against the data processing activities:
- Frequency of occurrence of a risk
- Severity of occurrence of a risk
- Resulting risk levels before mitigation
- Mitigation process and its impact on risk
In order to have an accurate assessment of any risks associated with your PII data, it is also critical to have processes in place to ensure transparency and control of your data quality. When applying GDPR within a data governance platform such as Collibra, you can easily link your data quality scores to your data activities.
Here is an example of a typical privacy scorecard dashboard in Collibra:
In my next blog, I will focus on the different mitigation techniques and their effectiveness in reducing the risk to the rights and freedoms of the individuals.