A data breach may be viewed as the accidental or unlawful destruction, loss, alteration or unauthorized disclosure or, access to data . Over the years, the security broadcasts are generally replete with numerous incidences of data breaches across the globe. Therefore, it is little surprise that 1 in 4 business have experienced this type of incident . The significant financial impact is also unmistakable as the total average cost is estimated to be 3.62 million dollars, which equates to in excess of$300,000 dollars .
The frequency and costly consequences of data breaches have in turn resulted in a greater demand for privacy and security. As a result, organizations are being called to account through various security and compliance measures. One such compliance measures, is the regulatory requirements under the EU General Data Protection Regulation (GDPR), which will come into operation on May 25, 2018. Therefore, organizations need to, if they have not already, begin to prepare their people and internal processes to meet this compliance requirement on or before May 25, 2018.
The GDPR outlines detailed requirements to assist an organization in protecting data and minimizing the risk of breach of privacy. For instance, the GDPR requires data controllers to conduct Data Protection Impact Assessments (DPIAs) as a means of minimizing risks to data subjects, particularly where privacy breach risks are high.
This increased emphasis on the protection of data will be beneficial to both customers and the organizations. The customers will experience increased confidence in organizations using and safeguarding their personal data. The benefits to an organization includes:
In order to manage business risk, an impact assessment is normally used to assist an organization in its decision-making process. The impact assessment helps to identify:
Appropriately, several industries have integrated impact assessment as part of their business to help provide insight into vulnerable areas of operations. The underlying principles of the DPIA is no different, as it seeks to ensure that organizations effectively manage data privacy risks.
Despite the potential benefits from GDPR, including DPIA, many security analysts have forecasted challenges in the implementation of the GDPR. For instance, Forrester Research has made a startling prediction that 80% of firms affected by GDPR will fail to comply with the regulation by May 2018 deadline . It further stated that 50% of these non-compliant firms will intentionally not comply and the other 50% are trying to comply but will fail. It is argued therefore that those trying but will fail is linked to several factors including, the limited knowledge of the ambit of GDPR and the access to experienced professionals to guide them through the stages of compliance.
Given the security and compliance landscape, it is forecasted that privacy impact assessment will become entrenched and evolve into an industry standard for security management in organizations over the next few years, thereby extending the reach of the current legislative requirement.
Based on these developments, the purpose of this paper therefore is to engage in the dialogue to consider some of the typical questions an organization may have in relation to this new compliance requirement, such as:
What is the Scope of GDPR?
The scope of GDPR extends beyond the borders of the European Union (EU). It applies to the processing of personal data whether automated or not, where these activities are in relation to:
This means that a global entity and any organization with an online presence will likely fall under the ambit of these rules. Consequently, there are certain essential requirements that these organizations involved in the processing of personal data must adhere to, as
indicated in Table 1 . These include the provision of consent and conducting a DPIA under certain circumstances.
Table 1: Essential Requirements under GDPR
|Consent||(1) Consent requests must be clear and intelligible, and distinguishable from other matters.(2) The right to withdraw consent must be also clear|
|Rights of Data Subjects||Provides for extended rights such as:
• Timely mandatory notification of breach
• Right to access to information on the nature and form of personal data being processed
• Right to be forgotten
|DPIA||Mandatory where the type of processing is likely to result in a high risk to the rights and freedoms of a natural person/data subjects|
|Penalties||An organization in breach may be fined up to 4% of annual global turnover or €20 million|
What is the DPIA?
The DPIA is a diagnostic tool or process that provides the decision-makers with information relating to personal data protection risks and vulnerabilities. For this reason, the main purpose of the DPIA is to assist in identifying and mitigating against personal data protection risks arising from the operations and activities of an organization.
When is the DPIA required?
A DPIA is required when the type of processing (i.e. the use, collection, storage, etc) of the personal data is likely to result in a high risk to the rights and freedoms of a natural person. In other words, where there is a likely risk to privacy and security of the personal data when it being used in daily operations, for example, a DPIA becomes necessary.
A DPIA is also required when:
1) processing on a large scale of special categories of data, such as:
a. Those revealing –
b. Those processing –
2) processing on a large scale of personal data relating to criminal convictions and offences;
3) systematic and extensive evaluation of personal aspects relation to a natural person, based on automatic processing, including profiling of the person;
4) systematic monitoring of publicly accessible information.
In summary, DPIA is required where the processing of personal data is likely to infringe on the fundamental right of protection of that personal data. Therefore, whenever organization’s use, stores, collects or records personal data and there is a high risk that these activities will lead to reduced protection or breach of personal data, a DPIA is required. The GDPR explicitly mentions certain high-risk activities such as the use of new technologies and the processing of certain types of data.
Things to Consider for DPIA
Undertaking a DPIA will involve determining the impact of processing activities will have on personal data security and privacy. Therefore, the primary goal of the DPIA is to determine the specific type of effect the organization’s business processes will have on safeguarding personal data.
Article 35 of the GDPR outlines some of the basic elements of what an assessment should include, such as:
The protection of personal data is a fundamental right of any person. As a result, organizations must take steps to ensure that the risk of unauthorized and unintentional data breach is minimized.
Some of the key considerations for an organization include:
In closing, conducting the DPIA is one compliance measure that global organizations, in particular are required to undertake to protect the rights and freedoms of data subjects by safeguarding their personal data from accidental or unlawful destruction, loss, alteration or unauthorized disclosure or, access to data. This move should help to reduce vulnerabilities and improve security controls in these organizations. As the security landscape continues to evolve, strategies to combat cybercriminals and improve controls have become a necessity, and not only a legislative mandate.
About Wilson Consulting Group
Wilson Consulting Group is an innovative global cybersecurity consulting firm headquartered in Washington D.C., with a European office in London, England.
We specialize in governance, cybersecurity, risk, and compliance consulting services, providing our clients with strategic guidance, technical solutions, and business advice to best serve their individual needs. We have the capacity to assist you in meeting your security mandate. Further information is available at https://www.wilsoncgrp.com