GDPR Implementation: Impact on IT systems

26/04/2018
Insights

The entire General Data Protection Regulation (GDPR) revolves around the protection of personal data, how personal data can be used and so forth. The implementation of GDPR can have a great impact on your IT systems.

Impact analysis on existing/new/changing IT systems in GDPR

Such an analysis is called a ‘Data Protection Impact Assessment’ or DPIA. The following is a structure and documentation for a DPIA as required by the GDPR.

Management summary

This DPIA is an analysis of (future) processing activities for project [ABC] and contains the general context of the organisation and the processing it undertakes, the processing activity itself and an assessment of the risks associated with the processing activities including any measures that need to be taken to mitigate those risks. Finally, it contains the decision on whether or not to initiate a prior consultation with the relevant DPA.

Context

  • Context of the organisation
    Describe the organisation, its tasks or duties and other general information relevant to this DPIA.

  • Context of the processing activity
    General description, more detail will be provided in the following topics.

Data Protection Impact Assessment Project [ABC]

  • General Information
    • Scope: General description of the processing activity or project.
    • Stakeholders involved: List of all relevant stakeholders/actors including organisations such as DPAs, special interest groups, individuals (customers, clients, patients, etc.),the DPO, ...
    • Project planning: Describe relevant deadlines, project roadmap, etc.
    • Processors: Which processors? What is their task? Which contracts or agreements are in place and are they compliant with article 28 of the GDPR?
       
  • Detailed description of the data flow
    Describe, using diagrams, charts or simply text, the data flow of the processing activity starting with the creation or receipt of data, storage, archiving up to the eventual destruction or transfer to external parties, i.e. the full data life-cycle.
     
  • The basic principles of processing Personal Data
    This section will touch on all basic principles for Personal Data processing. The previous chapters/sections have discussed most of this information to be collected. In our post ' Principles of processing Data in GDPR ' you can find more information on this matter.
    • Transparency, lawfulness
      • Describe how information is provided to the individual (Data Subject) and which legal basis applies to the processing (consent, agreement, law, etc.). Specific attention should be given to a processing based on ‘legitimate interest’.
      • When relevant, include how and when special interest groups and their individuals have been informed or consulted.
    • Purpose limitation: Which are the clear and specific purposes for this processing?
    • Data minimization: Given the previous, which information is required to achieve the processing goals? Will only that information be processed?
    • Accuracy: How is information accuracy guaranteed at the moment of receipt and how is it kept up-to-date (interfaces with other sources, periodic pop-ups for individuals, a user portal with all information,...)?
    • Storage limitation: How long is data kept or stored, and why? Sometimes these terms are defined by law, sometimes the controller will need to decide on an appropriate storage term.
    • Integrity and confidentiality: How is the integrity and confidentiality of the information guaranteed? Which system for information security is in place? (this can be project-specific or for an organisation as a whole)
       
  • Individuals’ rights
    Articles 12 – 22 of the GDPR, how are these rights guaranteed for, and provided to, the Data Subject?
     

Risks

  • Define the inherent risk for this processing activity, i.e. the risks involved before any mitigating measures have been taken. Think about general risks regarding the basic principles of processing or information security, but also aspects that may impact the individual (individuals’ rights, data breaches, sensitivity of the data, ...)
  • Risk assessment methodology
    • How were the risks determined? (e.g. based on a list for the industry, ISO27002 as baseline, brain storming sessions, etc.)
    • Risks will receive a score. Define how the scores are calculated to demonstrate that they are objective.
  • Example

NR

DESCRIPTION

SEVERITY

SECTION

RISK-001

No privacy policy

Critical

1

RISK-002

Information security not addressed in any policies

Medium

2

RISK-003

Access control to server X that stores the data is insufficient

High

3

RISK-004

Access control: file server has no granular user control

Medium

6

RISK-005

Purpose has not been clearly defined

Critical

5

RISK-006

Processor agreements are not in place

Critical

7


Measures implemented

  • Describe which measures were taken to mitigate the risk, referring to the risks mentioned above:
    • RISK-001
      •  …
    • RISK-002
      •  …
    • RISK-003
      •  …
    • RISK-004
      •  …
    • RISK-005
      •  …
    • RISK-006
      •  …

Residual risks

  • Analyse the risks detected earlier, and in which way these measures fully address the risk. Any risk that remains, the residual risk, should be noted here.
     

NR

DESCRIPTION

SEVERITY

SECTION

RISK-001

No privacy policy

Critical

1

RISK-002

Information security not addressed in any policies

Medium

2

RISK-003

Access control to server X that stores the data is insufficient

High

3

RISK-004

Access control: file server has no granular user control

Medium

6

RISK-005

Purpose has not been clearly defined

Critical

5

RISK-006

Processor agreements are not in place

Critical

7

 

  • Decision on prior consultation with DPA
    • Based on the outcome of the residual risk analysis, will a prior consultation with a DPA be necessary? (Validate the way your local DPA has issued guidance, some may expect to be consulted when others do not).
    • Where relevant, document the management decision or meeting where the outcome of this DPIA was discussed.


Want to learn more?

You can find information on the implementation guidelines of the GDPR, like processing principles, security measures, preparations, operations and much more by clicking on the button below.
You can also download our full implementation guide 'A free quick-start guideline for your GDPR implementation' as a PDF document.


GDPR implementation guidelines

Share this insight