In the first part of this blog series, we discussed some core objectives, characteristics and principles of the GDPR, which is due to take effect on 25th May 2018. In this second article, we will discuss in greater depth some of the core IT security objectives relating to GDPR. The purpose of the GDPR is to establish directions to protect “natural persons” where their personal data is processed and to provide guidelines regarding the free movement of their personal data. Whilst GDPR safeguards fundamental rights and freedoms of individuals, as well as helps protect their personal data, it is not intended to restrict the processing of personal data. Consequently, GDPR entirely detaches data protection from the right to privacy. One of the core IT security objectives of GDPR is assessing risk to personal data. Therefore, from the perspective of IT security, a “Data Protection Impact Assessment” (DPIA) should be one of the core concerns of organisations.
Motivation of DPIA
The DPIA will play a crucial part in categorising and assessing the privacy risks of Personally Identifiable Information (PII) in organisations. As a result, organisations should implement adequate processes to reduce risks and the impact of the risks to the PII of data subjects. In addition, organisations will have a mechanism for addressing the risk of non-compliance with the regulations, addressing IT operational risk whilst at the same time providing trust that will enhance competitive advantage. The DPIA can be considered as part of a broader risk management process that any organisation must implement and perform to address all relevant risks. DPIA analyses risks to PII and provides a mitigation process, using control measures related to the risks that are identified.
Scope of the DPIA
Information security aims to protect the confidentiality, integrity, availability, authenticity and auditability of information. Therefore, there is overlap with the scope of the DPIA. However, the DPIA aims to deal with compliance, accuracy, continuity and recovery, as well as other objectives of information and data security. Hence, DPIA deals with a much broader process. In a nutshell, a DPIA is an assessment of the risks to the rights and freedoms of data subjects, and the mitigating controls are provided to minimise such risks. This is to ensure that methods of protecting PII for compliance with the requirements of GDPR are specified.
Stakeholders and Responsibilities
- The GDPR owner (in many cases, the new Data Protection Officer [DPO] role) is responsible for conducting a DPIA.
- The risk owners are responsible for implementing controls to address and mitigate risks to privacy.
- The GDPR owner and the “Head of Risk” must check that correct controls are implemented to mitigate any risks identified in the DPIA process.
DPIA Phases
The GDPR requires that data controllers/owners implement DPIA where certain kinds of processing of PII may are likely to increase the risk to the data subject. The DPIA must incorporate a systematic and extensive assessment of processes in organisations and how PII is protected. Thus, the DPIA process comprises the following phases:
Phase 1 – Determining the criteria for conducting a DPIA Phase 2 – Commencing the process Phase 3 – Data processing: Identification and characterisation of data subjects Phase 4 – Identification of privacy risks and risk assessment Phase 5 – Recommendation of solutions and residual risks Phase 6 – GDPR post-treatment compliance assessment Phase 7 – Providing DPIA report and approval Phase 8 – Review and maintenance and change management documentation
The above DPIA phases will assist organisations in identifying risks attached to PII during processing. Therefore, outlining the essential phases of the process will help organisations to allocate the right solutions and controls to mitigate risks to PII. The senior management team will then receive the right information to inform effective decision-making when setting budgets for process and planning.
Risk Assessment
GDPR suggests a risk-based approach to data privacy, but it does not dictate any specific methodology for the risk assessment. Risk assessment becomes even more relevant in relation to information security. However, it is important to distinguish between a “Risk Analysis” and a ‘Risk Assessment”. A risk analysis involves identifying threats to an organisation and analysing the related vulnerabilities to such threats. A risk assessment includes evaluating existing controls and assessing their competence in relation to the potential risks to the organisation. Every organisation must create its own risk profile to assess the risks based on business requirements and its own risk appetite. To initiate a risk assessment for GDPR data, the following steps are recommended:
- The identification of risk management tasks, responsibilities, activities, and budget
- The appointment of a risk owner with clearly-defined tasks
- Maintenance of the attributes of a defined risk: label, description, probability, and importance
- Mapping and classification of GDPR data
- The identification of the potential impact on the confidentiality and integrity of the data
- Planning controls for risks to PII that are identified as requiring mitigation
- Reporting identified risks and the effectiveness of controls
The outcome of the risk assessment clarifies the inherent risks to PII, the implementation of the controls, and the residual risks. This process assists the data controllers in adopting a risk-based framework in a way the GDPR encourages while at the same time providing an insight into the threats and probability of the impact of such threats.
Conclusion
The GDPR encourages organisations to put sufficient processes in place as detailed above, so that risks to PII are minimised and the privacy of individuals is protected. Indeed, privacy is a core principle at the heart of the new regulations. In addition, the regulations place emphasis on the need for robust governance by data controllers, so that organisations have good oversight of their processing activities, providing an extra layer of assurance for individuals that their PII is well protected. The GDPR also emphasises the need for suitable processes, such as the DPIA to be implemented to support data processing activities. Organisations taking a methodical approach to the introduction of new processes and appointing the new roles, such as Data Protection Officer, in a timely manner well in advance will be best placed to successfully adopt and adapt to the new rules. As we have demonstrated, risk assessment will support the identification of business activities requiring redesigned processes by identifying the information assets to be protected, the potential risks to the individuals and indeed the business itself if these are not protected, and clear channels for providing transparency over this process and ultimately assurance of compliance for business owners. About the Authors:
Reza has been working in various IT positions in the last 27 years and currently working as an information security consultant. He worked as International Marketing Manager in two companies, which specialise in wide range of consultancy services such as information security, risk management, business continuity and IT governance in the Middle East. His current work as security consultant includes, specialising in information security coaching, helping his clients to become more effective and efficient typically through the strategic of information systems, risk management and security governance. Having significant experience of the commercial and financial sectors in various parts of the globe working with variety of cultures and work ethics enables him to understand current security requirements and threat landscape to achieve better outcome in GRC environment. Reza is the Managing Director of “Information Security and Audit Control Consultancy (ISACC)” whilst chairing the “Information Risk Management and Assurance (IRMA)” specialist group in BCS and sits on the RM/1 Risk Management Committee at “British Standard Institution (BSI)”.
Juliet Flavell formerly worked in the high pressure environment of IT project management and service provision within the legal sector. In 2016 she became accredited as a Chartered IT Professional and currently runs a technology non-profit organisation. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
