What does the obligation to conduct a risk assessment and DPIA involve?
FORMAL ANSWER
Obligation to conduct a risk assessment: pursuant to Article 32 GDPR, the level of security of personal data should be appropriate to the risk of infringement of the rights or freedoms of natural persons, of varying likelihood and severity. In order to assess what measures are appropriate, account must also be taken of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. When assessing whether the level of security is appropriate, particular account is taken of the risks associated with processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to personal data transmitted, stored or otherwise processed.
Obligation to conduct a DPIA: pursuant to Article 35 GDPR, where a type of processing — in particular using new technologies — is likely, by virtue of its nature, scope, context and purposes, to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. The assessment shall contain at least: 1. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; 2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes; 3. an assessment of the risks to the rights and freedoms of data subjects; 4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with GDPR.
PRACTICAL ANSWER
The obligation to conduct a risk assessment for resources processing personal data arises in practice at all times, because data must always be secured appropriately to the risk of breaches. Resources or assets processing personal data include, for example, a laptop, printer, collection of paper documents, archive room, HR staff. A lack of technical safeguards (e.g. encryption, antivirus software) or organisational safeguards (e.g. clean desk and screen policy, disciplinary liability) may lead to an incident.
A DPIA is an assessment in which data subjects are placed first and an evaluation is made of what harm could befall them in the event of a breach of data protection. The obligation to conduct a DPIA depends on whether factors increasing the likelihood of an incident are present in the process. Examples of such factors include processing of sensitive data, systematic monitoring, large-scale processing of data, or the use of innovative technological solutions. The presence of such factors may increase the likelihood of a breach, as well as the severity of its consequences.
MORE:
- How to conduct a risk assessment in accordance with GDPR – practical guidance
- Dr RODO application - carry out an audit and risk assessment and DPIA independently
- GDPR risk assessment calculator
- Pre-DPIA form
- DPIA form
