Your Guide to GDPR Compliance: Data protection impact assessment and security measures for processing data

Today is GDPR day! Woot! We already told you, GDPR is not about a date. This is a long-haul journey that, we firmly believe is making the Internet a better place.

Is there some new red-tape? Yes. But it seems that the only way stop the ridiculous arms-race for the new gold “personal data” is to level the playing field through strong regulations. So in this series we try to continue and help you understand in simple terms what it is about, and how you can make sure you are ready ... and ready to leverage this not only so your business is not adversely impacted also to become operationally better.

We have already mentioned the Data protection impact assessment (DPIA) in our previous blog posts (this is basically the step where you discover what it is in your activities that is truly affected by the GDPR). In this blog post, we will talk more about it and the kind security measures you can implement to protect people’s personal data.

The GDPR specifies that a DPIA will be required in the case of:

• Automated processing, including profiling where there are legal effects concerning people
• Processing on a large scale of special categories of data or personal data relating to criminal convictions
• A systematic monitoring of a publicly accessible area on a large scale

But this is very important and good practice even if you did not install thousands of video cameras with facial recognition. Conducting a DPIA can help you to identify and minimize problems and risks early on and resolve them before any damage is done. To be effective, the DPIA should be used throughout the development and implementation of a project. It will help you to systematically and thoroughly analyze how a particular project or system will affect your users’ privacy. But before you start one, you should map out your data information flow. This will show you where you transfer data from one location to another. It will help you to identify privacy risks and also to understand how the information is used. Conducting a DPIA is good practice because it brings certain benefits, which include:

• Transparency
• Awareness of privacy and people rights within an organization
• Building trust with your clients
• Financial benefits
• Reduced privacy risks

In order to help organizations with the data privacy impact assessment, The French Commission internationale de l’Informatique et de Liberté (CNIL) published a free PIA software (Privacy Impact Analysis). Those steps include:

• Identifying the need for DPIA
• Define the scope of processing
• Demonstrating that you are implementing the necessary means to meet the 6 principles of processing data
• Demonstrating the controls to protect private data
• Identifying existing or planned controls to contribute to data security
• Identifying and assessing risks
• Identifying the measures to mitigate the risks
• Comparing the positioning of the risk
• Integrating outcomes into a plan and keeping it under the review

A data protection impact assessment should be carried out by the controller and advised by the Data Protection Officer, in order to assess the particular likelihood and severity of high risk activities. When it indicates that the processing would result in a high risk to the rights and freedoms of people and the controller (the entity operating the service) believes that risks cannot be mitigated by available technologies and costs of implementation, they will need to consult the supervisory authority before any processing.

Another way for the organizations to comply with the GDPR is to implement appropriate technical and organisational measures to secure personal data. We have already written about policies and data protection by design and default in our previous blog post, and you should remember.. None of these activities is a “one-off”. You should regularly try do the assessment. Because new systems will come into play, sometimes minor changes to workflows can bring about new risks (or on the contrary remove some activities from the compliance scope).

In a case where one or more processors are included it is the responsibility of an organization to ensure compliance with the regulation. This means following:

• Choose a processor who will provide sufficient guarantees about its security measures
• Put in place a written contract that can require the processor to use the same GDPR-compliant security measures
• Make available to the controller all information necessary to demonstrate compliance with the obligations

The Regulation states that the measures you need to take should be appropriate. That leaves you to decide which measures to implement considering your information risk. Information risk assessment can certainly help here. A good starting point is to make sure that you’re in line with the requirements of Cyber Essentials — a UK government scheme that includes a set of basic technical controls you can put in place relatively easily. But Cyber Essentials is just a base, you won’t be able to address to all risks with it alone.

Adherence to approved codes of conduct or certification mechanisms may be used as well. Certification is voluntary and doesn’t reduce the responsibility of a controller or processor but it can demonstrate your good faith and in case you do run into trouble with the regulator ... it may well play in your favor. Implementing an information security management system (ISMS) is a good way to support your compliance efforts. It consists of 3 key components: risk assessment, risk treatment, and incident response (including the appropriate data breach reporting). ISO 27001 is an international standard for ISMS. It is a certification that is successfully used worldwide, and by achieving it, your organization will protect its information assets and valuable data using best-practice information security measures.

Along with all these security measures we can’t forget the information security policy that represents a vital element of your information security program. It is a set of rules that should reflect the organization’s objectives and intent to implement an information security framework. This policy will direct all your organization’s efforts to protect its data, and especially the personal data. This document is different from the privacy policy, it should be approved by CEO of the company, it should affirm responsibility and accountability, be communicated to everyone in the company and subject to regular reviewing.

Data security failures can be catastrophic for any organization. Therefore, it is essential to secure all personal data against loss and damage. Recognise the vulnerabilities and eliminate them, ensure the confidentiality, integrity and availability of your systems and services and make sure that all your processors have the same security standards.

The GDPR gives you a good framework to embark on this journey. Yes, you may have received a billion emails today, you may have seen a couple of media publications that are now filtering European visitors. But think: if they needed to do this, what have these people been doing with your private data?