Mmf-mmfmfmffff! Mf-mf mmf! Mmffffmmfmmffmfffmmmf... Mmmf? Mf!
Sorry... erm... hi everyone! Zarte here! Apologies for that, I’ve been worrying about GDPR a bit and burying my head in the sand... probably should come out to talk to you though. Especially as in reality, I’m probably being a bit daft. I mean in reality, it’s not too hard to get your head around. You’ve already seen us explain WHAT it is, but how about steps you need to be taking in readiness for its implementation on May 25th?
Well this article is all about one of the big steps which you need to take before May 25th, and that’s to run an impact assessment, known as a Data Protection Impact Assessment – or DPIA. These assist in helping organisations to identify, assess and either mitigate or minimise risks to privacy within their data processing activity. Not only is it important to do this for existing processes, but it will also be vital to do them for any time moving forwards that a new process, or indeed system or piece of technology relevant to the processes is introduced.
These will allow you to be able to demonstrate compliance with GDPR, which is one of the big changes from the Data Protection Act. It’s not enough to be complying with it, you must be able to demonstrate how you’re doing so. Failing to do so could result in fines of up to ten million points or 2% of an organisation’s global turnover – whichever is higher.
An assessment should be made any time where data processing, in the GDPR’s words: “is likely to result in a high risk to the rights and freedoms of natural persons” – this could be because of automated processing or profiling as a result of data provided by persons. It could be because the data being processed pertains to special categories of data, such as information related to criminal convictions. Or it could be because the processing is systematic monitoring of a publicly accessible area on a large scale.
As stated, an assessment should be carried out before any new process or project, so that any risks found can be countered early on, and not require rescuing later. To look to implement privacy into your plans in the first instance is known as privacy by design and can have a number of benefits, aside from the aforementioned early solution. It’s likely to cost less in the long run as issues will have less of a financial impact. It’s likely to increase customer trust ratings as the natural tentativeness will lead to a less intrusive policy. And perhaps most concisely and relevantly of all, organisations who deal with the GDPR up front, will be less likely to breach it.
Who the assessment should be carried out by depends on the makeup of the company. In some industries, and individual businesses, someone will have the expertise to be able to designate themselves/be designated as the data protection officer (DPO) for the business. In others, such a luxury may not be able to be afforded, and so you’ll be required to bring in an external expert to consult and carry out your DPIAs.
All in all, when all things are put together, a DPIA should end up displaying the progression of 6 key steps. These are:
- To identify the need for a DPIA
- To describe the flow of information
- To identify data protection and other associated risks
- To identify solutions to reduce or eliminate the aforementioned risks
- To sign off the outcomes of the DPIA
- To integrate the solutions and other findings into the project being assessed
So there you have it. I realise this isn’t necessarily the most entertaining article I’ve ever written for you, but let’s be honest, it isn’t the most entertaining subject material. But it IS vital to your customers and to your business, and so you really must get on with making sure your business is fully compliant before it’s introduced. We can be on hand to support you with changes you need to make if necessary, so feel free to get in touch with us to talk to one of our team if you’re finding the whole process a little intimidating. But otherwise...
Until next time,
Zarte