It’s been over two years since the General Data Protection Regulation (GDPR) has been in place.
Its main purpose is to protect individuals' fundamental rights and freedoms, particularly their right to protection of their personal data. In 2020, the world was gripped by the Covid-19 pandemic, which affected us all in many ways. Data Protection was also affected with a rise data protection risks, which have led to an uptick in cyberattacks, malware, disinformation and data breaches.
Maintaining a data protection risk register can allow you to identify and mitigate against data protection risks, as well as demonstrate compliance in the event of a regulatory investigation or audit. The GDPR Accountability principle requires that you demonstrate the steps you have taken to comply with the regulation. That means having a risk-based approached to strive for compliance with any given organisation will require you to assess a risk based on its likelihood and severity in terms of the rights and freedoms of a natural person.
The accountability principle in Article 5(2) of the GDPR, requires that organisations not only comply with all the data protection principles, but also, that they are able to demonstrate compliance with them. So, what does that mean in practice? In short organisations must implement technical and organisation measures to demonstrate that the processing of personal data is undertaken in accordance with the GDPR.
The role of the DPO is to ensure that their organisation meets their requirements. Having a robust and structured way of managing their data protection risks on an ongoing basis is imperative. Such risks arise from the obligations and standards set out under the GDPR in that organisations must demonstrate:
- They are processing in accordance with the regulation (Article 24)
- Design processing to implement the data protection principles and integrate the necessary safeguards (Article 25)
- Ensure a level of security appropriate to the risk (Article 32)
These are ongoing requirements meaning that organisations must not only monitor, review and up-date their processing to continue to comply with the regulation. Organisations also need to keep themselves up to date on recent decisions issued by the European Courts, fines issued from national supervisory bodies and up to date guidance papers. Your risk register should assess a risk and align it with the principles of the GDPR ensuring that no processing activity undermines those principles.
Four Steps to successful risk management & mitigation
1. Identify Your Organisations Data Protection Risks
Conducting regular assessments of the processing activities that take place is a good starting point. Once you understand the processes and data flows that are happening, you can then assess the level of risk each activity presents to your organisation. As a data protection practitioner, your first protocol is to assess the risk against the principles of the GDPR and not in the context of the corporate or stakeholder objectives.
2. Assess the Level of Risk it Presents to Your Organisation
Assessing the risks based on severity to the organisation’s brand/name/impact to data subjects and its likelihood of occurring is a practical way of looking at a risk. These are influenced and determined based on how compliant they are with the seven principles of the GDPR. If a risk is imminent and poses a high risk, then this should be reflected in your risk register.
3. Maintaining a Live Risk Register
The most crucial element of the process is to log the risks identified and implementing a plan of action to mitigate those risks at your earliest convenience. Regularly reviewing your risk register and communicating those risks to the relevant individuals/departments will ensure that these risks will be mitigated against. Putting in place the appropriate controls will demonstrate your organisations awareness. Articulating the controls, technical and organisational measures, you put in place is the way in which you can adhere to the accountability principle. At this point, you can confidently show that you have identified risks, assessed those risks and you have found measures/controls contain the risk.
4. Data Protection Reporting
Finally, it is recommended that you should produce regular data protection reports to summarise the current data protection risks and compliance position to your board and management teams.
The above can all be achieved by utilising PrivacyEngine, our Privacy Management Software to help streamline your privacy compliance. Privacy Engine already has a bank of over 1000 risks and recommendations that your organisation can avail of. The tool allows you to maintain your risk register and allows you to manage and mitigate those risks overtime. All of which whilst providing detailed evidence trial of your compliance for the regulator.
To Learn More about Managing Risk for Privacy Teams – You can watch a webinar, hosted by PrivacyEngine Co-Founder and Chief Commercial Officer, Mike Morrisey by clicking below: