Any organisation that’s required to comply with the GDPR (General Data Protection Regulation) must conduct regular risk assessments.
This isn’t just because the Regulation says so; it’s because risk assessments are essential for effective cyber security, helping organisations address an array of problems that, if left unchecked, could cause havoc.
Organisations might assume that the only risks they face are from cyber criminals trying to break into their systems.
However, the GDPR is clear that data is also vulnerable to accidental or unlawful destruction, loss or disclosure. The ways in which these could happen need to be identified at every stage of the data handling process.
The GDPR risk assessment methodology
The goal of any information security risk assessment methodology is to make sure everybody conducting the assessment or interpreting its findings are on the same page.
You must have a methodology – i.e. a set of rules defining how the conduct the risk assessment – to make sure the risks are evaluated consistently, enabling you to adequately compare your priorities.
Methodologies also outline specific terms for an organisation’s:
- Baseline security criteria: the minimum set of defences to fend off risks;
- Risk scale: a universal way of quantifying risk;
- Risk appetite: the level of risk the organisation is willing to accept; and
- Scenario- or asset-based risk management: the strategies to reduce the damage caused by certain incidents or that can be caused to certain parts of the organisation.
You can find out more about the risk assessment process by following ISO 27001’s guidance. The international standard for information security contains a best-practice framework for evaluating risks and is closely aligned with the GDPR.
- List of free GDPR resources and templates
- 3 GDPR compliance tips for small businesses
- GDPR: What’s the difference between personal data and sensitive data?
Get started with vsRisk
The complexity of risk assessment auditing, along with the repercussions of getting it wrong, means that most organisations benefit from getting expert advice.
Our risk assessment software tool vsRisk™ helps organisations conduct an information security risk assessment efficiently and easily, eliminating the need for spreadsheets, which are prone to user input errors and can be difficult to set up and maintain.
The software tool is:
- Easy to use. The process is as simple as selecting some options and clicking a few buttons.
- Able to generate audit reports. Documents such as the Statement of Applicability and risk treatment plan can be exported, edited and shared across the business and with auditors.
- Geared for repeatability. The assessment process is delivered consistently year after year (or whenever circumstances change).
- Streamlined and accurate. Drastically reduces the chance of human error.
DPIA risk assessments
There is more to the GDPR and risk assessments than the threat of data breaches. There are also times when you must also complete a specific type of risk assessment, called a DPIA (data protection impact assessment), to review the way you process personal data.
DPIAs are necessary whenever personal data processing is “likely to result in a high risk” to the rights and freedoms of individuals.
The GDPR doesn’t define what ‘high risk’ is, but it does provide a few examples:
- Systematic and extensive profiling with significant effects
- Large-scale processing of personal information
- Public monitoring.
The ICO (Information Commissioner’s Office) adds that you must conduct a DPIA if you plan to:
- Use innovative technology (in combination with any of the criteria from the European guidelines);
- Use profiling or special category data to decide on access to services;
- Profile individuals on a large scale;
- Process biometric data (in combination with any of the criteria from the European guidelines);
- Process genetic data (in combination with any of the criteria from the European guidelines);
- Match data or combine datasets from different sources;
- Collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
- Track individuals’ location or behaviour;
- Profile children or target marketing or online services at them; or
- Process data that might endanger the individual’s physical health or safety in the event of a security breach.
How to conduct a DPIA
The GDPR doesn’t specify a framework for completing an DPIA, which can make it tricky for those getting started.
This is where our DPIA Tool comes in. Our experts created this software to guide you through the assessment process.
It’s suitable no matter how familiar you are with the GDPR’s requirements. We show you the questions you need to ask and how to find the answers, and even provide links to the relevant sections of the GDPR so you can learn more about why each process is necessary.
A version of this blog was originally published on 4 April 2018.