Risk based approach

When your organisation collects, stores or uses (i.e. processes) personal data, the individuals whose data you are processing may be exposed to risks. It is important that organisations which process personal data take steps to ensure that the data is handled legally, securely, efficiently and effectively in order to deliver the best possible care.

The risk-profile of the personal data your organisation processes should be determined according to the personal data processing operations carried out, the complexity and scale of data processing, the sensitivity of the data processed and the protection required for the data being processed. For example, where a data processing activity is particularly complex, or where a large volume or sensitive data is involved (i.e. an internet, health, financial or insurance company), this would attract a higher risk rating than routine personal data that relates solely to employee or customer account details.

When looking at the risk profile of the personal data your organisation processes, it is useful to look at the tangible harms to individuals that your organisation needs to safeguard against. These are detailed in Recital 75 of the GDPR and include processing that could give rise to: discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation; or any other significant economic or social disadvantage.

Conducting a risk-assessment will improve awareness in your organisation of the potential future data protection issues associated with a project. This will in turn help to improve the design of your project and enhance your communication about data privacy risks with relevant stakeholders.

The GDPR provides for two crucial concepts for future project planning: Data Protection By Design and Data Protection By Default. While long recommended as good practice, both of these principles are enshrined in law under the GDPR (Article 25).

Data Protection by design means embedding data privacy features and data privacy enhancing technologies directly into the design of projects at an early stage. This will help to ensure better and more cost-effective protection for individual data privacy.

Data Protection by default means that the user service settings (e.g. no automatic opt-ins on customer account pages) must be automatically data protection friendly, and that only data which is necessary for each specific purpose of the processing should be gathered at all.

Under the GDPR, a Data Protection Impact Assessment (DPIA) will be a mandatory pre-processing requirement where the envisaged project/initiative/service involves data processing which “is likely to effect in a high risk to the rights and freedoms of natural persons.” This is particularly relevant when a new data processing technology is being introduced in your organisation. In cases where it is not clear whether a DPIA is strictly mandatory, carrying out a DPIA is still best practice and a very useful tool to help data controllers demonstrate their compliance with data protection law. DPIAs are scalable and can take different forms, but the GDPR sets out the basic requirement of an effective DPIA. Guidance on conducting DPIAs can be found here.

Maintaining a data protection risk register can allow you to identify and mitigate against data protection risks, as well as demonstrate compliance in the event of a regulatory investigation or audit.