fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

The Importance Of DPIA And Its 3 Types Of Processing

DPIA
A DPIA is a process designed to help you systematically analyze, identify, and minimize the data protection risks of a project or plan.

The Importance Of DPIA And Its 3 Types Of Processing

What is a DPIA?

A DPIA is a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan. It is a key part of your accountability obligations under the GDPR, and when done properly helps you assess and demonstrate how you comply with all of your data protection obligations.

It does not have to eradicate all risk, but should help you minimise and determine whether or not the level of risk is acceptable in the circumstances, taking into account the benefits of what you want to achieve.

DPIAs are designed to be a flexible and scalable tool that you can apply to a wide range of sectors and projects. Conducting a DPIA does not have to be complex or time-consuming in every case, but there must be a level of rigour in proportion to the privacy risks arising.

Why are DPIAs important?

DPIAs are an essential part of your accountability obligations. Conducting a DPIA is a legal requirement for any type of processing, including certain specified types of processing that are likely to result in a high risk to the rights and freedoms of individuals. Under GDPR, failure to carry out a DPIA when required may leave you open to enforcement action, including a fine of up to €10 million, or 2% global annual turnover if higher.

By considering the risks related to your intended processing before you begin, you also support compliance with another general obligation under GDPR: data protection by design and default.

How are DPIAs used?

A DPIA can cover a single processing operation, or a group of similar processing operations. You may even be able to rely on an existing DPIA if it covered a similar processing operation with similar risks. A group of controllers can also do a joint DPIA for a group project or industry-wide initiative.       

For new technologies, you may be able to use a DPIA done by the product developer to inform your own DPIA on your implementation plans.

You can use an effective DPIA throughout the development and implementation of a project or proposal, embedded into existing project management or other organisational processes.

What kind of ‘risk’ do they assess?

There is no explicit definition of ‘risk’ in the GDPR, but the various provisions on DPIAs make clear that this is about the risks to individuals’ interests. Article 35 says that a DPIA must consider “risks to the rights and freedoms of natural persons”. This includes risks to privacy and data protection rights, but also effects on other fundamental rights and interests.

Also read: 12 brief explanation about the benefits of data protection for business success

What types of processing automatically require a DPIA?

There are 3 types of processing which always require a DPIA:

  1. Systematic and extensive profiling with significant effects:

“(a) any systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.”

  1. Large scale use of sensitive data:

“(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10.”

  1. Public monitoring:

“(c) a systematic monitoring of a publicly accessible area on a large scale.”

DPIA is designed to be a flexible and scalable tool that you can apply to a wide range of sectors and projects.

Are there any exceptions?

You may not have to carry out a DPIA if:

  • You are processing on the basis of legal obligation or public task. However, this exception only applies if:
    • you have a clear statutory basis for the processing;
    • the legal provision or a statutory code specifically provides for and regulates the processing operation in question;
    • you are not subject to other obligations to complete DPIAs derived from specific legislation, such as Digital Economy Act 2017; or
    • a data protection risk assessment was carried out as part of the impact assessment when the legislation was adopted. This may not always be clear. So in the absence of any clear and authoritative statement on whether such an assessment was done, we recommend you err on the side of caution and do a DPIA to ensure you consider how best to mitigate any high risk.
  • You have already done a substantially similar DPIA. You need to be confident that you can demonstrate that the nature, scope, context and purposes of the processing are all similar.
  • The ICO issues a list of processing operations which do not require a DPIA. We have the power to establish this type of list, but we have not done so yet. We may consider a list in future in the light of our experience of how the DPIA provisions are being interpreted in practice.

What are the key elements of a DPIA process?

A DPIA should begin early in the life of a project, before you start your processing, and run alongside the planning and development process. It should include these steps:

  • Step 1: identify the need for a DPIA
  • Step 2: describe the processing
  • Step 3: consider consultation
  • Step 4: assess necessity and proportionality
  • Step 5: identify and assess risks
  • Step 6: identify measures to mitigate the risks
  • Step 7: sign off and record outcomes

After sign-off you should integrate the outcomes from your DPIA back into your project plan, and keep your DPIA under review. Throughout this process, you should consult individuals and other stakeholders as needed.

The DPIA process is designed to be flexible and scalable. You can design a process that fits with your existing approach to managing risks and projects, as long as it contains these key elements.

You can also scale the time and resources needed for a DPIA to fit the nature of the project. It does not need to be a time-consuming process in every case.

Conducting a DPIA does not have to be complex or time-consuming in every case, but there must be a level of rigor in proportion to the privacy risks arising.

Who is responsible for the DPIA?

You can decide who has responsibility for carrying out DPIAs in your organisation, and who signs them off. You can outsource your DPIA, but you remain responsible for it. If you have a Data Protection Officer (DPO), you must ask for their advice on your DPIA, and document it as part of the process.

You may want to ask a processor to carry out a DPIA on your behalf if they do the relevant processing operation, but again you remain responsible for it.

Who should be involved in the DPIA?

As well as the business area or individual who is leading on the project or process requiring the DPIA, you should also involve: 

  • a DPO, if you have one;
  • information security staff;
  • any processors; and
  • legal advisors or other experts, where relevant.

What is the role of the DPO?              

If you have a DPO, you must seek their advice. The DPO should provide advice on:

  • whether you need to do a DPIA;
  • how you should do a DPIA;
  • whether to outsource the DPIA or do it in-house;
  • what measures and safeguards you can take to mitigate risks;
  • whether you’ve done the DPIA correctly; and
  • the outcome of the DPIA and whether the processing can go ahead.

You should record your DPO’s advice on the DPIA. If you don’t follow their advice, you should record your reasons and ensure you can justify your decision.

DPOs must also monitor the DPIA’s ongoing performance, including how well you have implemented your planned actions to address the risks.

Also read: 7 Client Data Protection Tips to Keep Customers Safe

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us