Cybersecurity: Risk Assessment & Data Privacy
The GDPR introduces additional responsibilities onto organisations, to both evaluate any risks to the personal data they hold and then take action based upon such an assessment. Where holding data is considered “high risk” a “Data Protection Impact Assessment” (DPIA) may need to be performed.
Unfortunately, the GDPR does not provide guidance as to a suitable structured risk assessment process. This means it will be for organisations to demonstrate how they judged the risks of holding various personal data…
Don’t be fooled into thinking that the decision process will be arbitrary or easy to demonstrate!
The GDPR raises potential fines for data breaches (to the higher of 4% of global turnover or €20 million) and, taken together with the new data protection principles of “accountability” and “data protection by design and by default”, organisations will need to be able to demonstrate how they arrived at any risk assessment decisions.
Risk assessment under the GDPR will apply to all organisations, big or small. While ISO27001 or similar may assist with this process, it may be difficult for some organisations to justify the spend. However, it is essential to utilise aspects of such a standard to ensure compliance under the new law, particularly in relation to cybersecurity breach notifications or conducting DPIAs.
Firstly, a big problem with the word risk is the number of was we approach it within a single organisation. Our infographic summarises how the various functions interact to evaluate risk, how (ideally) information might flow to decision makers to ensure effective investment and a few key cybersecurity questions.
Normally a cybersecurity risk assessment is aimed at evaluating the risk to an organisation. In a privacy risk assessment the organisation is evaluating the risk to its customers (or other data subjects).
As well as asking the questions:
- What type of IT services (email, websites, backups, hardware etc.) does your organisation use? How damaging would lost control/inaccessibility/breached data be for each one?
- How much effort is an attacker likely to put into getting the data? Is there a specific reason (like politics or the value of your assets) that would motivate more skilled attackers to put time and resources into attacking your systems?
- What level of ownership do you have? Do you own the hardware? The content? The risk? Where you don’t own all three, who are you sharing the security risk with? How much investment will they make in reducing your risk and how much influence do you have over that? How much investment will other risk holders expect you to make in security?
You may also need to consider:
- If a specific vulnerability is exploited (in systems, in software development, via an organisational process, physical security, etc.), might this lead to a breach of personal data? If yes, then personal data is in scope for the risk assessment.
Don’t forget – the emphasis on accountability mean that all of these evaluations need to be made before a breach to justify what you have (and haven’t) done. Risk assessments are living documents and may need updating in reaction to a breach, but initiating a risk assessment after a breach is likely to put an organisation on the back-foot when it comes to any communications with the ICO!
A more in-depth exploration of data protection impact assessments, requirements and cyber risks can be downloaded here.
About our Cybersecurity Series
Clayden Law has teamed up with technical expert, Emma Osborn. and over the next few months we will provide some back-to-basics analysis of the technical, legal and data protection issues surrounding cybersecurity, aimed at organisations’ non-technical decision-makers. Together, we’ll be highlighting key cybersecurity and data privacy fundamentals and looking at the interplay between law and practice in this area. For more information, click here.