Assessing and Recording Risk (Insight Blog 4 of 9)
Data Protection – Assessing and Recording Risk
Risk is often managed by following best judgement and in many instances this is the best way to facilitate fast and informed decision making. However, to remain compliant with Data Protection regulation an organisation needs to document risk considerations in a structured way.
Risk assessments need to be recorded in a number of instances. The degree of intensity of risk assessments can vary considerably depending on situation and the scale and nature of the organisation.
When is a ‘documented’ Risk Assessment is Required?
GDPR (General Data Protection Regulation) generally serves to minimise risks to the ‘rights and freedoms’ of data Subjects (individuals whose personal data is held by an organisation). When risk is assessed for the purpose of GDPR it is the ‘risk to the Subject’ that needs to be considered. Recital 76 of GDPR clarifies that this must be an ‘objective assessment’. The three most likely reasons for an organisation to require a formal assessment of risk are;
Relying on “legitimate Interest” as an legal basis for processing personal data
Many organisations rely on this basis for processing personal data e.g. the use of CCTV, GPS, voice recording, the use of customer or employee data in business processes and etc. This basis for processing can only be used where it does not ‘override the rights and freedoms of the Subject’. Norms have been established for many forms of processing and a risk report is not necessary. However, in others a risk assessment is needed to justify a particular use of data.
In the event of a breach the level of risk to the Subject will define your requirement to report the breach to the Data Protection Commissioner DPC or to Subjects. This needs to be assessed promptly to ensure compliance.
The requirement for a Data Protection Impact Assessment
An Data Protection Impact Assessment (DPIA) is required by law when processing is ‘likely to result in a high risk to the rights and freedoms of natural persons’. If an organisation processes personal data in a manner that could possibly require an assessment, and decides not to, a well structured risk report is essential to justify that decision.
Types of Risk Assessment
Risk to the Subject is typically considered from four different perspectives depending on the situation;
The Data Protection Principals – outlined under GDPR.
Guidelines on Data Protection Impact Assessments – Criteria described in the EU Article 29 Committee direction (reference WP248).
Categories of harm – described under Recital 75 of GDPR.
‘Common sense’ risk process – for a quick determination if the risk is anything other than low risk. Typically used in the event of a breach.
The risk that Data Protection regulation poses to an organisation should be treated separately.
Performing your Data Protection Risk Assessment
There are four essential parts to completing your Data Protection risk assessment. Remember to keep it simple and easy to understand.
Considering the elements of risk to the Subject. These may include financial, denial of rights, embarrassment, physical harm etc.
Elements of risk should then be scored in terms of ‘likelihood’ and ‘severity’.
Scoring should be benchmarked to ensure consistence and imposes objective standards.
The assessor should have a clear and documented method of determining what scores mean. For example; high, medium and low risk.
Free Data Protection Breach Process
We have published a free Data Protection breach process that you can find here. This template can help you organisation quickly and effectively manage a Data Protection breach event. Should you need expert advice managing a breach event or completing your risk assessment please contact us without delay.