July 18, 2017
Many security experts say rights protection has not kept up with the implementation of new technologies and as a result, personal information is more at risk than ever.
The new General Data Protection Regulation (GDPR) will address the issue in different ways, including a Data Protection Impact Assessment (DPIA) requirement in the workplace in certain circumstances. The GDPR will supersede the Data Protection Act in the UK, and it comes into effect next May. But it will also apply to all companies, anywhere in the world, that process information about EU citizens.
According to GDPR guidance papers, in certain circumstances, including when a company is going to be handling personal data using new technologies, the GDPR will require a Data Protection Impact Assessment (DPIA).
A DPIA will assess security risks involved in processing data. This risk assessment process will analyse how proposed uses of personal information might create security risks and then suggest ways to mitigate the risks.
A systematic process is recommended because not only will it better protect data but it will document the entire process showing legislators as well as the workforce, business partners, and customers that the company is committed to information security. This may help reduce liability, negative publicity and damage to reputation.
Step 1: Early on in a project determine if there is a legal obligation to carry out a formal Data Protection Impact Assessment. Some examples of when one is needed include a new project involving the use of personal data, new IT systems that store and access personal information, and data sharing with another company.
Step 2: Identify what data management processes will be required and map out how the personal data, in digital or paper format, will be transmitted, routed, and stored throughout its lifetime. Create an actual diagram that shows how the information flows through the organisation.
Step 3: Identify and evaluate all the potential security risks in the workflow. What are the high risk areas for a data breach? Who are the potential attackers and their motives?
Step 4: Make recommendations on how to mitigate each risk at each step. Document safeguards and how they will protect confidential information from inappropriate disclosure.
Step 5: Implement safeguards to protect confidential and personal data against unlawful processing and disclosure, examples include:
Learn more about the GDPR and how it will affect your business with our downloadable whitepaper.