The 25 May 2018 introduction date for General Data Processing Regulation (GDPR) will see the European Union legally enforcing the manner that all EU Member States manage data protection issues. It is hoped that this will lead to a new level of uniformity. It is vital to remember that this does not just apply to companies and organisations with their bases located within the EU, but also companies that process the personal data of EU citizens but do not have an office in that country.
To adhere with GDPR, companies must process personal data in line with the new rules. This means that a Data Protection Impact Assessment (DPIA) for the various items of personal data they hold must be completed.
High Risk Data Processing Under GPDR
GDPR guidance is available and describes dangerous processing activities. Companies should pay review this guidance, and the guidelines it provides about the damage that could result from high risk and very high risk processing.
High risk processing cannot be classified overall, it should instead be identified by identifying a set group of criteria, including security of data, possibility for a security breach, assurance of privacy, restriction of purpose and the fairness of the processing involved. It should be remembered that merely using new technology should not be defined as high risk on its own; it needs to be reviewed along with other areas.
Each piece or area of information should be reviewed in its own context, as what might be considered high risk in one area may not be for another sector. Companies also need to address risks that have been discovered. If addressing these issues does not seem possible, this is a time when prior consultation with the relevant Data Processing Authority (DPA) should be employed.
In relation to GDPR, identifying high risk and very high risk processing is all about reviewing areas such as scope, reliability and security, as well as potential damage that could result from issues. Firms then need to address these risks, in order to ensure they adhere with GDPR.