GDPR risk assessment

Recently in preparations for a Data Protection post-graduate Certificate, I discovered what perhaps few EU citizens are aware of -> that modern European Privacy Rights have their roots in the operations of the STASI (the former east-German Ministry of State Security) and the NAZI party in the late 1930s. One person in seven of the then east German population were informing the STASI on the rest. GDPR & DPRIA., stand for General Data Protection Regulation and Data Protection Risk Impact Assessment, respectively.GDPR Risk assessment 2

This Blog uses the  term ‘Data’ in the context of ‘personal data relating to an identifiable Data Subject’ . If you are a Decision-maker in an Irish Company and your Company uses data on European Citizens then, you really do need to get familiar with the steps necessary to comply with GDPR and DPRIA.  GDPR will become mandatory from 25th May 2018 onwards, and Companies that are not sufficiently geared-up for compliance will be subject to seriously substantial financial fines in tandem with potentially greater reputational damages. By way of direct preparation for the seismic impact on 25th May 2018, GDPR risk assessment has just become  everyday terms in business strategy  for  entities that use and/or store data on citizens of the European Union and far beyond.

The Regulation will put individuals in control of their personal data, empowering them to choose how (and whether at all) businesses use their data. Where an individual’s personal data is not treated in compliance with GDPR risk assessment, the affected individual will have legal recourse and a potential financial compensation claim. Additionally data protection Regulators within the EU will be adequately resourced to enforce the new provisions. Penalties can be applied up to 4% of Global Turnover.Uncompromising Fines coming down the tracks on 25th May 2018GPRR Risk Assessment 1

A now-timely starting point would be to commission a GDPR Risk Impact Assessment to seek to identify & subsequently address what the real GDPR risks are for your business.

The GDPR will result in wide-scale data privacy transformation requirements across every business, particularly Financial Services providers, whose lifeblood is their Client data.
Building blocks for embarking on a Risk Impact Assessment  might entail the following:

Be aware of the location of your Data

You need to have a clear understanding of what data you hold, why you need it, where it is stored and who has access to it.  What systems exist for monitoring the risk of duplication, inaccuracy and failure to delete obsolete data on a timely basis?

Have an awareness of how related parties use your shared data

Most organisations share data with third parties.  These might be clients, suppliers, regulators or partners. You must understand and manage the risks inherent in the transfer of data to third parties and ensure your data is protected adequately by those you share it.

Give your Clients a reason to be confident in your Business

Data protection is now a central aspect of  business operations.  Customers need to be confident in the organisations that share their personal data. All key staff must cultivate a new awareness of the true meaning of Data Protection.  It is important to adopt an organisation-wide approach, embracing data protection and privacy management into your overall business strategy.

Test and Enhance your data processing & storage systems

How quickly would you be able to identify all of the data elements pertaining to a particular individual across your organisation? Being able to do this will not only enable you to meet the relevant requirements under the GDPR Risk Assessment, but will also allow you to unlock the full value of the data assets held by you.

Develop a familiarity with meaning, potential benefits & efficiencies of Data Minimisation

Are you using data for the purpose you have committed to (and not for any ulterior/ undeclared purpose)? Businesses must ensure that they only gather and process classes of personal data that they legitimately need for the purposes they have previously identified.

Manage Data Subjects’ consent

The rules on consent are  getting more stringent – a single unchecked box is now insufficient, and individuals may withdraw their consent at any time. Opting-in processes must be provable, existing customers wont be opted-in automatically. The actioning of consent withdrawal must be as easy as the process of giving consent.

Constantly monitor & control degrees of privacy risk and data security

What are the risks inherent in your processing & storage of personal data? What protections are in place against Cybercrime? Is there a parallel contingency plan?

Generate a privacy and data protection strategy that has inbuilt GDPR ‘compliance-by-design’

You need to maintain awareness of legal developments here and abroad in the ever-changing privacy landscape, and reflect these in your business plans and strategies.  These should reflect an end-to-end approach and cover every entity across your entire global organisation that processes personal data, originating from the EU.

Consider recruiting a Data Protection Officer (DPO)

The majority of organisations will need to appoint a DPO to act as a point-of-contact with DP Regulators. Inter alia he/she would be tasked with fostering high levels of privacy awareness, sampling & strict compliance with the GDPR Risk Assessment. Their brief is to directly report to decision-makers at senior/board level.

The two-year grace period for implementation, is now well-advanced, with 13-months remaining. Organisations must critically appraise approaches to data protection and privacy in preparation for the GDPR D-day, on 25 May 2018.


Ronan Coburn is a Forensic Accountant, and  a contract Certified Data Protection Officer [CDPO]