In the first part of “GDPR: An IT Security View”, we discussed some core objectives, characteristics, and principles of the GDPR, which is due to take effect on 25th May 2018. In this second article, we will discuss in greater depth some of the core IT security objectives relating to GDPR.

The purpose of the GDPR is to establish directions to protect “natural persons” where their personal data is processed and to provide guidelines regarding the free movement of their personal data. Whilst GDPR safeguards fundamental rights and freedoms of individuals as well as helps protect their personal data, it is not intended to restrict the processing of personal data. Consequently, GDPR entirely detaches data protection from the right to privacy. One of the core IT security objectives of GDPR is assessing risk to personal data. Therefore, from the perspective of IT security, a “Data Protection Impact Assessment” (DPIA) should be one of the core concerns of organisations.

Motivation of DPIA

The DPIA will play a crucial part in categorising and assessing the privacy risks of Personally Identifiable Information (PII) in organisations. As a result, organisations should implement adequate processes to reduce risks and the impact of the risks to the PII of data subjects. In addition, organisations will have a mechanism for addressing the risk of non-compliance with the regulations, addressing IT operational risk whilst at the same time providing trust that will enhance competitive advantage.

The DPIA can be considered as part of a broader risk management process that any organisation must implement and perform to address all relevant risks. DPIA analyses risks to PII and provides a mitigation process, using control measures related to the risks that are identified.

Scope of the DPIA

Information security aims to protect the confidentiality, integrity, availability, authenticity, and auditability of information. Therefore, there is overlap with the scope (Read more...)