The GDPR Series – Impact Assessments
Entry 5 of 6
Welcome to blog number 5 in our 6-part series on GDPR. With so much emphasis on the new regulation and the May 25th deadline drawing closer, we wanted to offer you some assistance in addressing the key questions around the new requirements. As you know, acceptcards® are experts in payments... but not so much in data protection regulations, with this in mind we have invited our friends from Legacy IT Consultants Ltd to write this guest series on our behalf. Enjoy!
The General Data Protection Regulation (GDPR) is an EU regulation that seeks to strengthen and unify data protection for all EU residents. There is a general obligation under the GDPR to implement technical and organisational measures to show that your organisation has considered and implemented data protection into all your processing activities. This obligation is further supported by the ‘Privacy by Design’ principle. Privacy by design promotes privacy and data protection compliance, whether it be new or existing processing activities.
A Data Protection Impact Assessment (DPIA) is a tool which can help organisations to fully evaluate processing activities and identify where and how to meet their data protection obligations. An effective DPIA will detail all processing activities and associated risks, which will enable the organisation to identify and document concerns and mitigate or aid in the resolution of any problems.
DPIAs should be documented and refreshed where applicable throughout the lifecycle.
Execution of a DPIA reduces the risk of non-compliance and / or data breaches, which in turn will reduce the associated costs and reputational damage of such a breach.
The Data Protection Act (DPA) encouraged privacy by design and the use of privacy impact assessments (PIAs), However, these were not a legal requirement.
A DPIA is seen as an integral part of privacy by design under the GDPR, and in some cases it is a legal requirement.
A DPIA is mandatory when:-
- Using new technologies
- The processing is likely to result in a high risk to the rights and freedoms of the individual
- Systematic and extensive processing activities
- Processing where decisions may have significant effects on the individual
- Large scale processing of special categories of personal data in relation to criminal convictions or offences
A DPIA is also strongly recommended when:-
- Building new IT systems for storing or accessing personal data
- Using data for new purposes
- Developing legislation, policy or strategies that have privacy implications
- Embarking on a data sharing initiative
A DPIA should contain:-
- A description of the processing operations and the purposes including any legitimate interests relied upon by the Data Controller
- An assessment of the necessity and proportionality of the processing in relation to the purpose
- An assessment of the risk to individuals
- Risk mitigation measures such as security and evidence of compliance
The Data Protection Officer
A Data Protection Officer (DPO) is a data privacy leadership role under the GDPR. DPOs are responsible for overseeing data protection strategy, implementation and compliance with the requirements of the GDPR.
Under the GDPR a DPO is mandatory where:-
- You are a public authority (except for courts acting in their judicial capacity)
- You carry out large scale, systematic monitoring of individuals (for instance online behaviour tracking)
- You carry out large scale processing of special categories of data or data relating to criminal convictions and offences
Other DPO considerations include:-
- A DPO can act for a group of companies or for a group of public authorities
- A DPO can be appointed by any organisation (and you may choose to appoint one even where there is no requirement, to help support and give guidance to your organisation)
- The role of DPO can be outsourced
- Even if you do not appoint a DPO you must ensure that your organisation has sufficient staff and skills to demonstrate compliance with the GDPR
The role of the DPO includes:-
- Act as first point of contact for supervisory authorities, for instance the Information commissioner’s Office (ICO), and for individuals who are data subjects, for instance candidates, customers, employees, etc.
- Inform and advise and organisation and its employees on their obligations to comply with all data protection legislation, including the GDPR.
- Monitor compliance with data protection laws, including the GDPR.
- Manage data protection activities and advise the organisation on DPIAs.
- Train staff and conduct internal audits to enable them to monitor and advise upon compliance.
Within an organisation the DPO:-
- Reports to the highest management level.
- Should have sufficient experience and knowledge of data protection law in relation to the processing that their organisation undertakes, and the level of protection that their personal data requires.
- Operates independently of the organisation and cannot be dismissed or penalised for performing their duties.
- Must be given adequate resources to meet their obligations.
- Can be an existing employee as long as their duties are compatible with the role of DPO and there are no conflicts of interests.
- Can be contracted externally (outsourced).
For more information, advice or assistance on the GDPR please visit the Legacy IT website here or email them at firstname.lastname@example.org
Author: Mike Madden - Legacy It Consultants Ltd.