GDPR (14) Personal data risk assessment
The GDPR places a great deal of emphasis on the fact that all controllers and processors of personal data must adequately protect the confidentiality, integrity and availability of the personal data. Even if you do not have any specialised staff to take care of this obligation, it is perfectly possible to comply with it by taking a simplified approach.
The starting point for all measures is a risk assessment. Although this sounds difficult and serious, it does not need to be complicated. Simply take your records of data processing operations and go over them, step by step, and ask yourself a few targeted questions. Next, add two more columns to your records. In these columns, specify the risks associated with each specific processing operation and the measures you can take to limit these risks.
I’ll give some simple examples that you are also likely to find in your own records. You will have a data set containing the contact details of people to whom you like to send information about your products and services every so often. You obviously hold data about their name and address, and also about the business they work for, their positions and perhaps their studies, hobbies and areas of interest, too. Besides this, you will have all kinds of data relating to your own employees. You keep updated information about their career development and annual evaluations. Every month, you provide the social secretariat with details of employees who were on leave or were sick. You have to know the make-up of their families, because this needs to be taken into consideration when calculating payroll tax. And perhaps your security cameras film everyone entering and leaving your premises. There are plenty of other examples, and it is impossible to conceive of any situations in which no personal data are processed at all.
What are the risks that exist with regard to the security of this information? A great deal depends on how you store the data, in other words the technology you use.
- If you work with paper files, it is important to consider whether folders and index card holders are openly accessible on your desk or are locked away in a cupboard. In the latter case, you need to identify who has access to your office and who can get their hands on the key. Do you close the door when you leave? Do you put the papers away?
- In the case of files stored on a computer, essentially the same questions apply, although the answers will be slightly more complex. Perhaps you work offline on a laptop computer. Does this computer have a password? Are you the only person who knows this password? Are the confidential personal data contained in a file that has password protection? When you take your laptop computer out of the business’s premises, does it have any additional protection? Do you sometimes leave it in your car? Where do you keep it in your home?
- The situation is different again if the data are stored on a server rather than locally. Do all users of the server have access to all data? Do they actually require this? Are you able to split the server into zones and assign different levels of authorisation to different users or groups? Is the server backed up, and where are the backups kept? Is there an IT company that carries out maintenance work on the server park? Does it have access to all data? Have you reached agreement with the company on what its employees can and cannot do, despite the fact they effectively have full rights (which they require to perform their work)?
- Are the data stored in the cloud? In that case, where are the data actually located, and who has access to the data? What guarantees has the cloud provider given? Are any data transferred abroad or even outside Europe, where they are not protected by the GDPR? Are the data transferred in a secure manner?
- Are the security camera images saved and stored? How long do you keep them? Who is able to view the data, and in which circumstances are they actually consulted?
As you may have gathered from the above questions, by taking measures in each of these situations you can dramatically reduce the risk of violations and infringements. The examples also show that the risks differ, depending on the precise contents of the files. If a file contains contact details only, a breach of confidentiality will not have a huge impact. This is not the case, however, where certain types of personal data are concerned. Much stricter security is required if, say, you work in the healthcare sector and keep records of sensitive data relating to patients or clients (which amount to medical data) precisely because a breach of confidentiality or integrity can have much more serious consequences. Depending on the size of the database, the impact may become greater as the number of data subjects increases. The measures that you take in relation to each of the listed risks must always be commensurate with the assessment of the risk.
Given this, it is logical that the GDPR imposes greater obligations on all organisations that use special categories of personal data and on all organisations that systematically process personal data as their core activity. In some cases, a formal data protection impact assessment (DPIA) has to be drawn up and submitted to the Privacy Commission before processing takes place.
It is advisable that all companies and organisations perform largely the same exercise. Keeping proper notes and records of the findings is also recommended, so you can demonstrate at any time that you handle personal data legally and with respect. Specialised software or methodologies can be useful, but in many cases they are unnecessary. The two columns mentioned above, which you can link to simple records of data processing operations, will supply much of the evidence you will require, provided the information is entered with due care.
In the next instalment of this blog we will take a closer look at the areas in which protection measures can be implemented to ensure personal data are stored and processed securely.
Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (CISM certified by the ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals).
If you have any questions or comments, please write to us at firstname.lastname@example.org.