A GDPR Impact Assessment, also known as a Data Protection Impact Assessment (DPIA), can be a great way to gauge and measure your company’s data handling and preparedness for a breach of this new and important regulation. You can use DPIAs to identify compliance gaps, assess the severity of those gaps, and address them before they become a serious risk.
Although many companies have undertaken GDPR Impact Assessments as they prepare for GDPR, they should really be integrated into your processes as a checkpoint for any new project. This is part of the privacy-by-design requirement under the GDPR. It\’s not just a compliance argument, though: adding critical checkpoints into your project design process will save you the time and expense of going back to make fixes later.
In working through the design of DPIAs and in the integration of GDPR compliance checkpoints into all of your processes, your Data Protection Officer (if you have one) will need to be involved, of course. In addition to anyone in a data privacy role, you’ll also want to loop in both 1) technical employees who understand how data is handled and who can access it, and 2) business stakeholders who can provide a holistic overview of why you’re collecting any given piece of data, and whether you have the legal authority to retain it.
Key Steps in a GDPR Impact Assessment
Perform an Audit
All organizations must fully scour their entire business-technology environment to identify where sensitive data may reside. No organization can afford to assume it knows where all of its data resides, and no cloud operations and security team can afford to assume it knows all of the data on its clouds at any given time. To be certain, it takes a comprehensive data assessment of every storage cluster, container, virtual workload, and any other location where data would likely be at rest, traveling, or processed. It’s particularly important to note how and where data flows between destinations.
Identify the Gaps
All identified data will need to be classified so that everyone acknowledges what sensitive and regulated data resides on the cloud. The team will then need an ongoing ability to identify regulated and sensitive data. If data are transferred between third parties, take note. Look for things like:
- Where does the data go?
- Is there any information missing that would help you to classify your data?
- Does the data travel to other countries and locations within the EU with different privacy rules, or does the data leave the EU for other nations?
- Is this compliant with data privacy laws?
When there is a breach (and there will be!), do you know:
- How the incident will be audited?
- How the data will be valued for financial loss and customer impact?
- Should data be destroyed or become inaccessible, how will it be recovered?
Be sure to include all aspects of the business – from data owners to information security, through the data-protection officer, legal teams, and public relations — in the process of auditing your current state and identifying existing compliance gaps.
Address the Riskiest Issues (First)
Following the assessment, it’s time to develop a plan to fill the gaps between where the cloud currently stands against GDPR compliance and where it needs to be. Unless it is brand new, chances are, your cloud was not designed with GDPR in mind. It will require a team effort to rectify and, depending on the organization, could include application and data owners, DevOps teams, cloud owners, legal and regulatory compliance teams, and other related constituents in order to appropriately address your organization’s biggest risks.
In areas where access governance is light, look for ways to tighten who has access to what. If the controls on how Personally Identifiable Information (PII) is managed within the cloud are weak, look for ways to button that down. Make sure that all GDPR data are backed up and accessible. Make sure that there are ways to monitor data integrity.
As the organization looks for ways to bring non-compliant situations into compliance, start with the most egregious challenges first. These will usually fall around areas of identity management, configuration management, poor encryption controls, lack of adequate data classification, data availability and recoverability, and such. As any new processes and procedures are put into place, look for ways to automate processes and monitor for anomalies. These built-in compliance checkpoints will become critical to identifying and addressing new issues as they arise.
GDPR Impact Assessments Are Only the Beginning
While the latest GDPR regulation comes with a considerable learning curve for companies both within and outside of the EU, the most important action you can take is to curtail inaction. GDPR Impact Assessments are a great tool to do that, since it’ll push your organization to constantly re-assess and address persisting data privacy issues.
Although it can become an immense project in and of itself, there are resources available to help you with this, like workshops and how-to guides. Look for something that most closely fits the need of your organization, and run with it. You and your teams can perfect the process as you go.