Part 9: Risks & Data Protection Impact Assessments (DPIAs)

Accountabilityis one of the 7 Principles under the GDPR (General Data Protection Regulation). To ensure businesses comply with their accountability obligations, the ICO has now created a framework that breaks down the key elements of accountability in data protection.

As part of an ongoing series of blogs, CVG Solutions will be guiding you through the ICOs 10 framework categories, taking a closer look at the importance of each aspect and how to adhere to them.

Part 9: RISKS AND DATA PROTECTION IMPACT ASSESSMENTS (DPIAs)

Intro

It is important for an organisation to have a risk framework and management strategy to allow for the assessment and management of data protection risks. The first step towards implementing an effective data protection framework is to understand the risks associated with how your organisation processes personal data.

DPIA is a risk management tool that supports and facilitates ‘data protection by design and by default’ by identifying data protection risks whenever a change occurs. DPIAs are mandatory and should be built within the organisation change management process and procedures.

By using DPIAs you can pinpoint the critical areas that pose risks, enabling you to plan accordingly to mitigate them.

To simplify the necessary information, this section has been split into 5 sub-sections.

  • Identifying, recording and managing risks

First and perhaps foremost, your company must establish an information risk policy that outlines how risks are to be managed and how compliance is monitored.

Risks need to be identified and managed using a risk register. Once information risks are identified, you must have appropriate action plans and progress reports in place. These can provide crucial lessons and help to avoid future risks.

  • Data protection by design and default approach to managing risks

Data Protection Impact Assessments (DPIAs) should be conducted at the beginning of projects, in conjunction with the planning and development process, when it is necessary to do so. Be sure to reference DPIA requirements in all risk, change and project management policies and procedures.

Risks and any possible mitigations should be anticipated from an early stage. They should also be considered from the initial design phase of any system, and throughout its lifecycle.

  • DPIA policy and procedures

It is vital to implement a DPIA policy that includes:

  • criteria for deciding when to conduct an DPIA,
  • what they should cover,
  • who is responsible for them,
  • and how to incorporate them into overall planning.

Staff need to be trained on when to conduct a DPIA and relevant stakeholders should be consulted during the procedure. Any DPIAs deemed unnecessary must be documented. The responsibility for completing DPIAs should be given to a member of staff who has the appropriate capacity to effect change, such as a manager or project leader.

  • DPIA content

You should have a standard template that includes all the necessary information required of a DPIA:

  • the nature, scope, context and purposes of the processing;
  • assess necessity, proportionality and compliance measures;
  • identify and assess risks to individuals; and
  • identify any additional measures to mitigate those risks.

The relationships and data flows between controllers, processors, data subjects and systems should be laid out clearly. Identify measures that eliminate, mitigate or reduce high risks. Record the details of any consultations throughout the process, review periodically and get a manager or project lead to sign off on the finished DPIA.

  • DPIA risk mitigation and review

The resulting outcomes of DPIAs should be incorporated into work plans, project action plans and risk registers. Mitigations must be in place prior to starting high-risk processing. It is vital to establish a procedure to consult the ICO if any high risks cannot be mitigated. Results should always be communicated to stakeholders and if you wish to actively publish DPIAs, be sure to remove any sensitive details (where applicable).

So risks need to be:

  • identified,
  • documented,
  • mitigated,
  • and

———

For any changes to data protection and transferring policies as a result of Brexit, or for a full breakdown of what privacy information includes, get in touch with CVG Solutions and we can help guide you through everything you need to know and ensure you meet all the requirements laid out by the ICO.

Check back for monthly updates and information regarding the ICO Accountability Framework. Next month, we’ll be taking a closer look at Breach Response and Monitoring. You can also read our other blogs in the series on:

Leadership & Oversight (Part 1) 

Training & Awareness (Part 2)

Transparency (Part 3)

Contracts and Data Sharing (Part 4)

Records Management & Security (Part 5)

Policies & Procedures (Part 6)

Individual’s Rights (Part 7)

Records of Processing and Lawful Basis (Part 8)

 

If you require any further help, guidance, information or clarification, you can contact CVG Solutions at info@cvgsolutions.co.uk, or call us on 01775 660-506. Additionally, you can fill out a digital self-assessment form on the ICO website, here Accountability framework self-assessment | ICO

———

‘Risks and Data Protection Impact Assessments’ Checklist:

  • Do staff know how to report and escalate concerns and risks?
  • Could staff explain the links between the information risk register, the risk assessment of information assets, departmental risk registers and the corporate risk register?
  • Would staff working on personal data processing projects be able to explain how they manage the risks as part of the project?
  • Are your policies and procedures easy to locate?
  • Are staff aware of the process?
  • Do they consider it effective?
  • Have they had adequate training?
  • Are DPIAs conducted by those with appropriate authority to effect change?
  • Do staff use the DPIA template and find it easy to understand?
  • Is the process effective?
  • Is the DPO satisfied that their advice is taken into account?
  • Are they satisfied with any consultation that has taken place and how that you reflect any feedback in the outcome?
  • Do staff understand when to consult the ICO?
  • Do you effectively integrate outcomes from DPIAs into projects?
  • Are appropriate stakeholders aware of the outcomes of DPIAs?