The General Data Protection Regulation or GDPR is a European privacy law that seeks to protect the personal information of people living in the EU. It will be enforced starting May 25, 2018. Entities need to understand this legislation to prevent violating this law.
Article 35, which is the data protection impact assessment, is the first Article in Section 3, Data protection impact assessment and prior consultation, of the GDPR. Data processing activities that utilize novel techniques or the processing of sensitive data could put the data subjects (the people who own the data) at high risk. Article 35 tells when and how data controllers should conduct a data protection impact assessment to identify and reduce these risks.
Before processing certain types of data, a data protection impact assessment is necessary. According to Article 35, the following data will require an impact assessment:
- large scale automated processing of “personal aspects relating to natural persons” if the results of the processing “produce legal effects relating to the natural person or equally significantly affect the natural person”
- large scale processing of “personal data relating to criminal convictions and offences”
- “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership
- processing of genetic data, biometric data for uniquely identifying a natural person,
- data about health or data relating to a natural person’s sex life or sexual orientation”
Article 35 also broadly requires impact assessments for “systematic monitoring of a publicly accessible area on a large scale”. Hence, things that could happen in a publicly accessible area like a footfall on the street outside of a mall or car traffic in a public car park or road would need an assessment.
When conducting a data protection impact assessment, the data protection officer of the organization must be involved and consulted. The assessment must look at these four main pillars:
1. description of how the processing is done and its purpose
2. A report on the “necessity and proportionality” of the processing compared to the anticipated result
For example, if you are processing web traffic by browser and spending money on website optimization for higher paying customers, then processing the physical or IP location of these customers may not be required or proportional to your intended goal.
3. A detailed assessment of the risks, which processing the data may make for the data subjects.
For example, regarding your browser/spending study data, will there be an increased risk of virus or malware attack on the customers or browsers?
4. The security controls that will be employed to lower or address the identified risks.
Organizations can adopt the following best practices to make sure they comply with the GDPR standards:
– Audit data and identify the kinds of data being stored, how it is being stored, and how it is processed. An employee must be assigned to manage and oversee the processing activities.
– Use different assessment procedures that will work better in pinpointing the risks for different kinds of data. Determining the best possible procedure before commencing the assessment will guarantee a more robust outcome.
– Discover certification or approved codes of conduct. Article 35 states that “compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors will be taken into due account in evaluating the effect of the processing operations”.
Following the above three steps can help boost the relevance and efficiency of the evaluation process. It helps to save time and money while facilitating compliance.