Share this article on:
The imminent introduction of the Genera Data Protection Regulation (GDPR) on May 25, 2018, has many questioning what types of data or data processing are considered high risk or very high risk under the new law. As one of the main goals of the GDPR is to legislate data protection procedures concerning individuals within the European Union (EU), the concept of levels of risk may be of great importance to ensuring compliance.
The GDPR should harmonize how the data of those located within the EU is collected, stored, and processed. These new rules will not just concern organizations located in EU member states, but also organizations located anywhere across the globe that manage data collected within the EU.
To ensure compliance, groups will need to review their procedures and modify them to meet the criteria of the regulations. A first step for many will be a Data Protection Impact Assessment to audit and assess the personal data that they currently possess. Indeed, this is a required measure under the GDPR which states “the likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk”.
Identifying High Risk Processing Activities
The GDPR will create the European Data Protection Board. In the text of the law, it is noted that guidance on high risk processing activities may be available from this Board – “guidance on the implementation of appropriate measures and on the demonstration of compliance […] especially as regards the identification of the risk […] and the identification of best practices to mitigate the risk, could be provided […] by the Board”. Organizations should seek out and follow these recommendations if they are available.
There is no definition given on what exactly constitutes high risk under the GDPR, only that it should be able to be determined following assessment. Processing of large amounts of data or sensitive data are given as examples that are likely to result in high risk in the law. The assessment should evaluate “the origin, nature, particularity and severity of […] risk”. Areas that should also be assessed include data security, potential for breaches of security, privacy concerns, extent of data held or collected, and the type of processing activity carried out.
The guidance provided within the regulations on risky processing activities states “such types of processing operations may be those which, in particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing”. Any one of these criteria on its own, such as a new technology being used, does not automatically mean that the processing is high risk; everything should be considered in the overall context.
Following the assessment, organizations are obliged to take action to reduce the risks identified. Appropriate organizational and technical measures should be put in place to address weaknesses. Should a controller be concerned that they cannot adequately mitigate a risk, they should consult with their supervisory authority before processing occurs.
The GDPR requires that risks be assessed, identified, and addressed in so far as possible. When determining the severity of risk, account should be taken of the nature, scope, context and purposes of the processing, as well as the sources of the risk. All actions to reduce risks must be documented for review by supervisory authorities. Failure to assess, address, or record risk reduction measures will most likely be considered a violation of the GDPR and could result in penalties and financial sanctions.