Adopting a Risk-Based Approach to GDPR Compliance

In 2017 data protection readiness must take centre stage for all organisations using personal data. The General Data Protection Regulation (GDPR) comes into force on 25 May 2018, meaning there is now less than 18 months to ensure GDPR compliance.

Privacy is a fundamental right for EU citizens and is increasingly important in the digital age. GDPR requires that organisations fully consider the risks that processing poses to the fundamental rights and freedoms of individuals. In this brief blog we’ll highlight some of the key points to help you appreciate what this means for your organisation in fulfilling GDPR obligations.

What are risky processing activities?

Although the concept of risk runs throughout the GDPR, it is not specifically defined. Some examples cited in the Regulation that are more likely to result in a high risk include:

· systematic automated profiling

· large scale monitoring of sensitive data

· systematic monitoring of a publicly accessible area on large scale

The Information Commissioner’s Office (ICO), along with other data protection authorities in the EU, will issue further guidance on high risk processing activities. However it is important to remember that risk needs to be determined in the specific context of your own operations and there is no “one-size fits all” list. Consider in particular how you engage in these activities:

· Processing sensitive data (ethnicity, political or religious beliefs and health, genetic or biometric data)

· involving vulnerable individuals or children

· processing personal data on a large scale

· automated profiling individuals

In determining whether an activity is risky you need to think carefully about the “likelihood and severity” of any negative impact of your processing activities on individuals by reference to the nature, scope, context and purpose of processing. For example a vulnerable individual may be particularly concerned about the risks of identification or the disclosure of information.

Potential individual harms to think about include: discrimination, identity theft or fraud, financial loss, damage to individual reputation, loss of confidentiality, reversal of pseudonymisation or significant economic or social disadvantage.

What are the implications of the risk level?

Certain obligations and/or exemptions under the GDPR flow directly from the level of risk. If the processing activities are considered high risk, then you will need to consult with the ICO before embarking on the activity and conduct a detailed data protection impact assessment. High risk data breaches also need to be notified to data subjects (in addition to the ICO). Additionally smaller businesses, who have less extensive record-keeping requirements, need to ensure that written records adequately cover their high risk activities.

On the other hand if you identify that the processing is not risky or low risk then you may be exempted from some obligations. This includes the need to notify the ICO about low risk data breaches or as a foreign based controller to appoint an EU based representative.

How do I mitigate risk?

A pro-privacy organisational culture is the best starting point for mitigating risks as this will ensure that everyone across the organisation takes a privacy centric compliance approach. More specifically you can implement specific suitable technical or organisational measures such as encryption to improve security; pseudonymisation or other steps to de-identify personal data or simply minimise the amount of personal data required for a project.

To examine processing activities take a three prong approach:

1. Identify any potential harms

2. Evaluate the severity of the harm

3. Consider the likelihood of the harm occurring.

This will allow you to think about what you can do to minimise and mitigate the risks to individuals.

Data protection impact assessments (DPIA) are the practical tool required under the GDPR to assist organisations in this process. As the ICO notes “An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.”

ICO has produced useful guidance under the Data Protection Act 1998
and we can also look forward to the release of GDPR specific guidance on this area.

What next?

Build on your organisation’s awareness of the significance of the data protection reforms and your information about the type of personal data that your organisation collects and processes, to go ahead with planning and prioritisation of GDPR compliance based on risk assessment.

It’s a New Year. Start focusing on priority areas that pose the highest risk to individuals and will have the largest potential impact on your organisation and you can make substantial headway in preparing for GDPR.