370 likes | 383 Views
These slides provide guidance on the risk-based approach to data protection, including its elements, functions, and application under the GDPR. They aim to help organizations go beyond mere compliance and effectively implement a risk-based approach.
E N D
Guidance for using these slides (removebeforedelivering) These slides are meant to be easily adaptable to different audiences. To facilitate this, each slide is assignedto a specificaudience (see „relevant for:” in the notes). In the notes-section below each slide, you find an indication of the slide’s degree of difficulty [i.e. whether it is suited for data protection beginners or not], its target audience [everyone vs authorities, lawyers, data protection officers, etc.], and its degree of importance [whether it is essential that you deliver it, or if it can be removed without impacting the effectiveness of the training]. Prior to training delivery, please: Read the slides and the notesthoroughly Take a look at the readingmaterials – theyalsoservetoassistyou in your preparation Remove/hide the slides that you consider unnecessary [right click on the slide miniature on the left and click ‘hide slide’]. A provisionalcategorisation has beenmadebasedon the depth and importance of the respectivecontent Adjust slides to national or sectoral requirements Add content that you consider essential for your particular audience Feel free to replace the default layout with your organisation’s layout
How to Read The Slides’ Colour Frames [Remove Before Delivering] Green – Is a basic slide: we encourage you to keep it Yellow – is a medium level slide: it is important, but does not jeopardise effectiveness if removed Red – is an advanced slide: consider adapting it to your audience, preparing your audience for it, or removing it if you deem it unnecessary Purple – advised adaptation: this slide should contain information regarding the national legislation complementing the EU Regulations; if the content regards a different Member State, we advise you replace it with the national, relevant content
Speaker Name Title Department Contact details
Context These slides explore the notion of the risk-based approach to data protection and what obligations arise under the risk-based approach as adopted in the GDPR. The aim of this document is to shed light on the notion, elements, function and application of the risk-based approach under the GDPR. The focus is on how the risk-based approach applies in practice and how it relates to complying with the GDPR and its rights-based approach. These slides purport to help public and private organizations to apply the risk-based approach and go beyond mere compliance with the letter of the law.
GDPR principles and processes requiring a risk-based approach
The notion of risk • Risk is not defined under the GDPR. • A commonly accepted dentition of risk refers to a situation involving exposure to danger (Oxford dictionary). • '‘A risk is a hypothetical scenario that describes a feared event and all the threats that would allow this to occur. More specifically, it describes how risk sources could exploit the vulnerabilities of supporting assets in a context of threats and allow feared events to occur on personal data thus generating impacts on the privacy of data subjects.’’ CNIL, Privacy Impact Assessment Methodology (February 2018 edition) • Risk is context-dependent and is estimated in respect to the severity and likelihood of the incident.
What does the GDPR say about the risk-based approach and risky activities (1): • The risk-based approach is explicitly endorsed under the GDPR and the requirement for risk assessments is clearly established in various provisions.
What does the GDPR say about the risk-based approach and risky activities (2):
What does the GDPR say about the risk-based approach and risky activities (3):
What does the GDPR say about the risk-based approach and risky activities (4):
What does the GDPR say about the risk-based approach and risky activities (5):
What does the GDPR say about the risk-based approach and risky activities (6): Additionally, there is an implicit recognition of the risk-based approach throughout the text of the GDPR. For example:
The risk-based approach to data protection: function and advantages (1) It is not a bureaucratic task, but a substantial obligation:
The risk-based approach to data protection: function and advantages (2)
The risk-based approach to data protection: function and advantages (3)
Cost-benefit analysis • Risk management • Internal, organizationalexamples • ISO standards • 29134:2017 - Information technology - Security techniques - Guidelines for privacy impact assessment • 31000:2018 - Risk management – Guidelines • Sectoralguidelines
Assessment of two risk-metrics: Risk-severity and risk-likelihood
Practical examples and considerations (1) Case study 1 A company based in the UK offers direct-to-consumer genetic tests. Consumers order their genetic tests and consent to the processing of their personal data, including sensitive data, such as genetic data and data concerning health. Key questions Is a DPIA necessary? Does the provided consent trump the requirement for applying the risk-based approach? What are the potential risks? Who is the data subject at risk? How the principle of data security is respected (e.g. anonymisation measures)?
Practical examples and considerations (2) Case study 2 A small enterprise offering counselling services to vulnerable subjects, such as people suffering form mental disabilities, financial and psychological problems. It also runs fundraising and marketing campaigns. Key questions How priorities should be taken?
Practical examples and considerations (3) Case study 3 A small research institute is involved in data-driven research (e.g. interviews). There is a multitude of research projects going on, and some of them started prior to the GDPR entering into force. Although these projects were compliant with the relevant data protection legislation, a GDPR assessment should be carried out. The institute is concerned because the project is already active and data is being processed, but it is also desirable and necessary that the rest projects are not cancelled or postponed. Key questions What should the institute decide? Is there any prescribed hierarchy in terms of severity and likelihood of risk? Do the potential research benefits play any role? When do the anticipated benefits outweigh the risks?
Practical examples and considerations (4) Case study 4 A multinational company offering worldwide IT, technology and enterprise products has decided to expand its network and develop its business activities. As part of this business development, it has decided to proceed to mergers and acquisitions, incorporating SMEs and bigger enterprises, who are run their operations in the local market. Key questions In addition to complying with data protection law, does the risk-based approach play any role?
Guidance on data protection risk The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment. (Art 35(4)) The supervisory authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. (Art 35(5)) Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32 (Art 40(2)(h) The EDPB shall, on its own initiative or, where relevant, at the request of the Commission, in particular issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as to the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34(1). (Art 70(1)(h))
Evaluation and feedback Evaluation forms Attendance sheet
Credits These training materials are based on standard training materials developed in the context of the project “Supporting Training Activities on the Data Protection Reform” – STAR (http://www.project-star.eu/). This project has received funding from the European Union under the REC Action Grant programme. Grant Agreement No 769138 (2017-2019). The default version of training materials are available free-of-charge on the STAR project website