Regular risk assessments are a part of any security strategy, but under the upcoming GDPR regulations, they will be a requirement. GDPR requires that organizations carry out a data protection impact assessment (DPIA) with a focus on data protection obligations to protect individuals’ expectations of privacy. Failure to conduct a DPIA is considered a breach of the GDPR and could lead to fines of up to 2 percent of an organization’s annual global revenue or €10 million – whichever is greater.
Article 35 of the GDPR outlines that a data protection impact assessment (DPIA) is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals. A DPIA is required prior to processing or profiling in order to assess the impact of the envisaged processing on the protection of personal data. The assessment shall contain, at least:
- A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- An assessment of the risks to the rights and freedoms of data subjects; and
- The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this regulation, taking into account the rights and interests of data subjects and other persons concerned
GDPR requires the use of a risk-based approach in evaluating new and existing processes in which sensitive personal data may be accessed, processed, stored or transmitted. In addition, GDPR extends this requirement over new technologies, including databases and endpoint devices where data may be stored or accessed, encouraging “privacy by design” into any new projects to help better identify potential problems and increase awareness of privacy and data protections.
Although most organizations can successfully run a DPIA on new technologies, ongoing compliance is a problem. Most organizations struggle with visibility over endpoint devices, particularly for devices that may be off network, making the compliance aspect of Article 35 next to impossible. At Absolute, we’ve been leveraging our position in the firmware of endpoint devices to perform Endpoint Risk Assessments that don’t require network connectivity which allows organizations to evaluate and benchmark security controls over new and existing processing areas. As part of the ongoing security measures, organizations can establish policies and alerts to monitor the security of these endpoints, including device location and self-healing of critical security applications like encryption and anti-malware.
Article 35 is one area where organizations are requesting compliance clarification; so is Article 32 on security processing and Articles 33 and 34 on breach disclosure and response. Read my earlier posts on both topics.
For more on how Absolute can support your GDPR efforts across a variety of GDPR Articles, visit Absolute.com/GDPR.
The information in this blog post is provided for informational purposes only. The materials are general in nature; they are not offered as advice on a particular matter and should not be relied on as such. Use of this post does not constitute a legal contract or consulting relationship between Absolute and any person or entity. Although every reasonable effort is made to present current and accurate information, Absolute makes no guarantees of any kind. Absolute reserves the right to change the content of this post at any time without prior notice. Absolute is not responsible for any third party material that can be accessed through this post. The materials contained in this blog post are the copyrighted property of Absolute unless a separate copyright notice is placed on the material.