The new data protection regulation establishes a new approach for the protection of personal data. Companies are proactively responsible. What does this mean? It means that the companies should be concerned and see what the risks are and in case they find them, establish a series of measures to mitigate their effects.
So, all the companies to which the GDPR regime applies are obliged to perform risk assessments. This is the main reason why they will have to perform these previous studies, because only if they detect critical processes will they be able to mitigate them by applying the appropriate measures.
The companies are obliged to perform risk assessments related to the nature, scope, type of processing and the type of data that they process; in accordance with the regulatory compliance measures that have been applied and implemented to date and in relation to information security measures.
This means that they should be concerned about whether they have established a password policy, a protocol for destruction and re-authorization of equipment or if they have established, for example, a policy of using the company’s equipment when the workers are outside the workplace.
And whose responsibility is it to perform a risk assessment? It is an obligation of the controller, not of the DPO or other role in the company.
Impact Assessments (PIA)
In case that existence of extreme risk is detected within the GDPR, the companies should perform an impact assessment or PIA (Privacy Impact Assessment). This implies that we should perform a very specific study and answer a very extensive questionnaire about a specific risk point by point. Impact assessments in the data protection are one of the novelties that the new GDPR incorporates and will force us constantly and recurrently over time to take care of data processing in our company or organization.
When will it be necessary to perform a PIA?
- When the company performs a systematic and exhaustive assessment of personal aspects (profiles)
- When we process sensitive data on a large scale
- Systematic observation of a public access area on a large scale
In addition, two more aspects must be taken into consideration in relation to impact assessments. Firstly, we will have to study the entire life cycle of the data processing that contains this extreme risk. Secondly, the possibility that the data protection officer plays an important role in the resolution and management of this risk will have to be assessed. In specific cases we can reach and consult the Spanish Data Protection Agency (AEPD) to validate if the processing we are performing is in accordance with the European regulation.