Another question that has come up with the impending implementation of the General Data Protection Regulation (GDPR) on May 25, 2018 concernts the types of data or data processing that are regarded as high risk or very high risk under GDPR. One of the primary targets of the GDPR is to legislate data security processes involving people within the European Union (EU). To achieve this, the concept of levels of risk may help to ensure compliance.
The GDPR ought to coordinate how the data of people based in the EU is gathered, stored, and processed. The new guidelines will not only affect companies situated in EU member states. It will also affect companies located all across the globe which handle data gathered within the EU.
To make sure of compliance, organizations must evaluate their processes and change them according to the requirements of the rules. A first step that organizations may need to look at relates to the Data Protection Impact Assessment. It considers auditing and assessing the personal data which they possess at the moment. Certainly, this is a necessary measure under the GDPR. The possibility and severity of the threat to the rights and freedoms of the data subject ought to be determined by referring to the nature, extent, context and objectives of the processing. Risk must be examined based on an objective evaluation, by which it is established regardless if data processing procedures entail a risk or a high risk.
How can organziations distinguish high risk processing activities? The GDPR will create the European Data Protection Board to provide guidance concerning high risk processing activities. This Board will provide guidance on implementing proper measures and on demonstrating compliance particularly in relation to identification of risks and the best tactics to minimize risk. Organizations must seek out and adhere to these recommendations when they are available.
The GDPR doesn’t provide any exact definition of high risk processing activities except that they are to be determined following assessment. Processing of big volumes of data or sensitive data are provided as examples which most likely result in high risk in the law. The assessment must assess “the origin, nature, peculiarity and severity of […] risk”. Areas which should be evaluated are data security, probable breaches of security, privacy issues, scope of data collected, and the kind of processing activity performed.
The guidance presented within the regulations about risky processing activities mentions that such types of processing operations could be those which, particularly, involve utilizing new technologies, and where no data protection impact assessment has been performed earlier by the controller, or where they become essential in the light of the time that has passed since the preliminary processing. Any one of these conditions on its own, for instance a new technology being utilized, doesn’t readily mean that the processing is high risk; all things must be taken into account in the total context.
Subsequent to the assessment, organizations are required to do something to lower the risks recognized. Proper organizational and technical measures must be set up to handle flaws. If a controller is concerned that they are not able to sufficiently minimize a risk, they ought to talk to their supervisory authority prior to processing.
The GDPR necessitates that risks be evaluated, identified, and resolved as far as possible. When figuring out the intensity of risk, take into account the nature, extent, context, reasons for processing as well as the sources of the risk. All steps to minimize risks should be documented so that supervisory authorities can review them. Failing to assess, tackle, or document risk reduction actions will probably be regarded as a violation of the GDPR and may bring about financial sanctions and penalties.