In September 2018, the UK Information Commissioner’s Office (ICO) issued the UK branch of credit rating agency, Equifax with a £500,000 fine for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017.
The ICO investigation revealed multiple failures at the credit reference agency which led to personal information being retained for longer than necessary and vulnerable to unauthorised access.
The failings occurred before GDPR came into force in May 2018, which meant the investigation was carried out under the Data Protection Act 1998 and the fine issued was the highest possible under that legislation. If the failing had occurred after GDPR became law the fine could have been much higher.
Fines under GDPR will be imposed in accordance with the risk profile of the operation and the extent to which the risks were appropriately addressed. Over the next few years, GDPR will start to bite and organisations that suffer a serious privacy breach and who can’t demonstrate a diligent risk-based approach to their handling of personal data will find themselves subject to very serious penalties. On the other hand, organisations may face reduced fines or avoid fines all together by addressing the risks to their operations, even if such measures fail to prevent a breach .
GDPR: A risk-based regulation
GDPR requires a risk-based approach to compliance with organisations required to consider the risks of varying likelihood and severity to the rights and freedoms of natural persons. This is a different emphasis from the management of risks to the business which typically focus on financial, reputational and other impacts to the organisation rather than to individuals.
Appropriate risk-based technical and organisational measures must be implemented to:
- Demonstrate processing in accordance with the regulation (Article 24)
- Design processing to implement the data protection principles and integrate the necessary safeguards (Article 25)
- Ensure a level of security appropriate to the risk (Article 32).
These are ongoing requirements meaning that organisations must monitor, review and up-date their processing to continue to comply with the regulation.
Risks to privacy
Risks to privacy align with the data protection principles: Lawfulness and fairness; Transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and confidentiality; Availability; Personal participation and access, and Accountability.
For the security-related risks, organisations should consider the need for pseudonymisation and encryption of personal data. Other risk-based measures must be taken to ensure the ongoing:
- confidentiality, integrity, availability and resilience of processing systems and services
- ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- compliance with data protection principles.
These should be backed up by processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.
Various guidance is available to assist with privacy risk management, including:
- BS ISO/IEC 27002:2013 — Code of practice for information security controls
- BS ISO/IEC 29151:2017— Code of practice for personally identifiable information protection
- Measures for the Privacy Risk Treatment — Commission Nationale de l’Informatique et des Libertés (CNIL, the French data protection authority)
It is important that processes are ongoing and are reviewed, tested and updated regularly, these are not one-time activities that can be completed once and forgotten about.
Processing of high-risk data
For the processing of high-risk data, such as data of a highly personal nature, data concerning vulnerable data subjects and large-scale processing, additional obligations apply:
- data protection impact assessments (DPIAs) may be required, providing a systematic description of processing and (amongst other requirements) describing how risks to the rights and freedoms of data subjects are managed
- prior consultation with the relevant Data Protection Authority may be required unless the controller implements appropriated measures to mitigate the risk
- notification of a data breach to the individuals affected may be required unless, again appropriate measures (such as encryption) have been implemented.
While high-risk data attracts additional scrutiny, organisations should remember that the requirement for a risk-based approach applies to the processing of all personal data, not just high-risk processing.
Practicalities of a risk-based approach
A risk-based approach requires risks to be identified and assessed, and then appropriate technical and organisational measures to be implemented effectively and maintained. The problem is that things change: processing of personal data changes to exploit new opportunities which changes the risk profile and the required mitigations. If a breach occurs then organisations may need to to show that, at the time of the breach, reasonable risk-based measures were in place and operating effectively – this requires evidence and history to be retained.
The following are recommended minimum requirements for a risk-based approach to compliance with GDPR:
- an asset register of personal data with mappings to supporting assets
- a risk register with assessments of privacy and security risks to the rights and freedoms of individuals
- mappings of technical and organisational measures to risks with test results to show that they are operating effectively
- ongoing visibility and monitoring of risk status and the effectiveness of mitigations
- evidence, history and accountability to show a continuing risk-based approach.
Except in very simple, low risk situations it is unlikely to be practical or efficient to manage these processes with a manual, spreadsheet-based approach. Instead, Governance, Risk Management and Compliance (GRC) software platforms, such as Acuity’s STREAM Integrated Risk Manager, should be considered to operationalise risk-based compliance with GDPR.
The requirements for a continuing risk-based approach run through GDPR and organisations should put appropriate risk management processes in place to protect the rights and freedoms of individuals.
It is impossible to guarantee 100% privacy or security, but among organisations that suffer a serious data breach, those that can demonstrate a diligent risk-based approach are likely to receive lower fines than would otherwise have been the case, or even avoid them altogether.
Simon Marvell, Partner, Acuity Risk Management.
The Risk-Based Approach in the GDPR, Interpretation and Implications. Gabriel Maldoff, CIPP/US, IAPP Westin Fellow.