EU GDPR mandates the Risk Impact Assessment the new norm for all organisations

Posted on January 30, 2017


Although security of personal data has always been a legal obligation for organisations, with the new EU GDPR (General data Protection Regulations) coming into force on the 25th May 2018, it reinforces the legal obligations both in substance and context on the data controllers, extending at the same time responsibility directly to data processors while embracing a Risk and Impact based approach.

The impact of a potential personal data breach to the data subjects is now a major aspect of the formal GDPR requirement for a Data Protection Impact Assessment under Article 35. Security, in the sense of integrity and confidentiality, is established as one of the principles relating to personal data processing under Article 5. This puts security at the core of data protection together alongside lawfulness, fairness and transparency, purpose limitation, accuracy and storage limitation and an obligate to assess the risk and impact of the risks to data.

In the ‘typical’ risk assessment process, the risks are estimated based on their potential impacts to the organization. In the case of personal data processing, however, the impacts must now be considered with regard to the freedoms and rights of individuals. This is a significant difference as it switches the analysis of impacts towards possible adverse effects that an individual may suffer rather than the traditional approach to the impact on the organisation holding the data. Consequently, organisations that think they have the appropriate Risk Assessment and subsequent security controls applied for GDPR based on this old premise will need to pivot 180 degrees and revise those organisational centric attitudes to focus on the Data Subjects as the principle object. As if that was not enough, an additional challenge is that, in order to calculate the risks and their impact, possible secondary adverse effects to the rights and freedoms of individuals also need to be considered. For example, just because your organisation may have got users to change their login credentials following a breach does not mean the risk impact on the data subjects has been mitigated, users often replicated credentials across systems and exposure of one set of credentials could mean exposure across multiple systems. The EU Commissions ‘Article 29 Working Party’ provide extensive guidance on Personal Data Breach Notifications in their ‘Opinion 03/2014 on Personal Data Breach Notification’.

The EU GDPR provision for a risk and impact based approach is horizontal as there are no exemptions or practical light weight approaches based on the organization size, availability of resources and capabilities. Similar to larger organizations, SMEs (Small Medium Enterprises) will have to identify the level of risk, depending on nature, scope, context of processing along to the types and volumes of data processed. Whilst there are some concessions to SME businesses in relation to record keeping, the EU GDPR applies to all organisations engaged in economic activities involving the processing of personal data of EU Citizens. The applicability therefore depends upon the nature of the processing being performed, not the quantity of records or size of the organisation, although the wording in the regulation uses the term ‘Large scale’ in relation to the threshold for the appointment of a Data Protection Officer, a definition for which is not made clear. However, in the EU GDPR drafts it was defined as 250 employees or 5,000 data records, so this probably would be a reasonable assumed threshold. Despite which when it comes to the risk assessment obligation on SME’s there are no exceptions.

This requirement for risk assessment is timely. It only takes a single infected computer to compromise an organisation, a family network or individual’s identity with the potential to also act as a bridgehead from which threat actors can infect thousands and perhaps millions of others. Each of us has a role to play and we all should be taking basic cybersecurity measures that can improve both individual and collective, not just corporate Cyber Hygiene. This means:

  1. Assessment – Assessing the risks, you are exposing yourself to as an individual or as an organisation, identifying valuable assets that could be at risk
  2. Treatment – Committing to adequate protection of assets both in the systems you use and practices in a spirit of managing cyber security risks NOT as a one off but on an on-going basis
  3. Acceptance – Acknowledging that despite treating all manageable risks, there will be risks that still exit and need to be acknowledged and prepared for, using more traditional means of risk offset such as Insurance for example.
  4. Communication – making sure all stakeholders are made aware of the risks, the treatments adopted and their obligations in supporting controls.

Oh yes and don’t forget it is too easy to get distracted in our digitized world to remember that many personal data breaches occur due to the lack of physical protection measures. Simple practical things like locks on doors and cabinets to create secure operating environments and secure paper disposal systems. Paper based files are usually part of the input or the printed output of an information system and can contain personal data which should also be protected from unauthorized disclosure and re-use.