Are your GDPR impact assessments all in place?
By 25th May 2018 you will need to have carried out GDPR impact assessments for all processing activities involving personal data of EU citizens. This is really important, even if you are confident your systems, processes and security is in line with the regulation.
This blog takes you through the reasons why, plus exactly what an impact assessment is in the context of data transfer and file sharing.
What is a DPIA?
The Data Protection Impact Assessment – or DPIA – is described in article 35 of the GDPR and then detailed in article 30. DPIAs need to be created for all new workflows and retrospectively applied to all existing workflows.
A DPIA performs several functions at the same time:
- It is a risk and impact analysis
- A description of a workflow including its purpose
- A breakdown of security settings
- It forms the basis for subsequent audit reviews.
The reality is that every workflow handling personal data must be fully documented. There is no official template for this document, but it makes sense to adopt a standard form as early in the process as possible. Consider creating two assessments – one top level and one containing the technical detail.
Think of the top level DPIA as an executive summary providing a description of the processing options, and the reason for doing it. This can be as simple as ‘Sending employee Records from HR system to Accounts SFTP server’ and ‘Required for loading monthly payroll’. It should also contain the perceived risks to the process, and any mitigations applied. The DPIA needs to be signed off by the Data Protection Officer.
The more technical DPIA should contain the detail of the workflow. We recommend the following as a minimum:
- The software in use
- The Data Controller Name
- The categories of data being transferred
- The recipient category (EU/3rd Country/International Organisation)
- The data retention period
- The security methods being employed (Encryption, High Availability, recovery options, penetration tests, etc.)
DPIA as a record of processing
Completing a DPIA meets the requirements of GDPR article 30. It means that during an audit, you will be able to provide a document to fully explain each workflow handling personal data.
It also means that you will need to periodically review each DPIA and ensure that they still match the reality of the situation – sometimes every organisation will have an update to a workflow (planned or otherwise) which does not get adequately documented. Similarly, if something outside the actual workflow itself changes (for example, retention periods), then the DPIA needs updating. It makes sense to attach the results of continuity or penetration tests directly to the DPIA as evidence, if ever required.
White Paper and supporting resources
You can find out more about this and other aspects of the GDPR for data transfer and file sharing in our White Paper. When you download this you will also receive an example GDPR impact assessment template and interface mapping template. These resources are designed as a guide to support you meeting the requirements of GDPR article 30 and 35.