Software tools alone are insufficient to ensure the implementation of the General Data Protection Regulation (GDPR). However, they can certainly help. In our new series, we are introducing a variety of tools. We’ll start with tools and processes to aid in risk evaluation.
The General Data Protection Regulation (GDPR) defines the instrument of data protection impact assessment. Article 35 of the GDPR states:
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
Data protection impact assessment: unknown risks
Risks for personal data may occur not only in case of IT security incidents, e.g. when attackers steal and abuse data or when controllers process data for other purposes than specified at the time the data was recorded and consent was given.
Even legal data processing may harbour risks for personal data. This is the case especially when new technologies are used. Current examples include machine learning (ML) and artificial intelligence (AI).
New technologies are subject to a data protection impact assessment in particular if a “systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person” (article 35 GDPR, paragraph 3 a).
Difficulties for practical implementation
The GDPR states the primary contents of a risk evaluation:
- Systematic description of the planned processes and the purpose of processing
- Assessment of necessity and proportionality
- Assessment of risks for the rights and freedoms of affected persons
- The remedies planned for managing the risk
However, several surveys show that the practical implementation creates difficulties for the controllers.
New official project
We therefore welcome the new project headed by the Fraunhofer ISI and supported by the German Federal Ministry of Research (BMBF) that is intended to help with impact assessment.
The project is titled “data protection impact assessment for use by businesses and authorities” and was launched in September 2017. The Fraunhofer ISI describes the process as follows:
“During the preparation stage, a company or authority conducts a review on whether an impact assessment is required. If yes, the evaluation phase begins with a definition of potential sources of risk and those affected. The risk evaluation is then conducted in consideration of six protection objectives (including prevention of data interlinking, intervention options, confidentiality).
During the measures phase, the protective measures need to be identified and implemented, and their effectiveness documented. During the report phase, all steps taken that are required for an independent of the impact assessment and the information of the public are recorded in writing.”
Subscribers to Datenschutz-PRAXIS may learn more about this process and its phases under Data protection impact assessment: a model for practical use
In order to ensure the practical suitability of the process, tests in cooperation with companies and authorities will be started in early 2018.
However, there are tools available even today to provide support.
Various solution providers have tackled the problem of data protection impact assessment. They offer new tools, sometimes as an extension to their existing solutions.
Of course these tools do not deliver impact assessment just by clicking a button. However, they do provide status reports that help to determine, evaluate, and minimise risks. They help in particular to find out whether protection objectives are being achieved or not.
Kaseya GDPR Compliance Pack
One example is the Compliance Pack available as a plug-in for VSA, the remote monitoring and management solution by Kaseya. The pack offers the following functions:
- Identify IT systems in the infrastructure
- Review the condition of the infrastructure and the user accounts to detect weaknesses
- Updating and patching third-party operating systems and software applications to identify and solve IT problems
- Protect data against malware an viruses
- Document compliance with GDPR requirements in reports
The solution offers status reports for anti-malware, patch management, users and administrators.
These reports help with risk evaluation when using the reports to review in particular those systems that have been identified as requiring impact assessment.
GDPR Risk Assessment by Snow Software
The solution GDPR Risk Assessment by Snow Software was designed to help companies to identify risks in the handling of personal data.
According to the provider, the solution detects more than 23,000 versions of applications that store or transmit personal data and identifies devices with insufficient protection, e.g. due to lack of encryption or antivirus software.
The goal is to provide an overview of all devices, users, and applications on on-premise systems, in the cloud, and on mobile devices.
This overview may help to identify risky instances of data processing. It shows for example whether an IT system used to process data requiring special protection is adequately secured or not.
Oliver Schonschek is a physicist, analyst, and technical IT journalist for IT security and data protection.