special report eu gdpr › media › pdf › resource_center › eu-gdpr-practical-g… · breach,...
TRANSCRIPT
EU GDPRSpecial Report
Expert Insights and Practical Guidance
Table of ContentsA Primer on Personal Data Breach Reporting Under the European Union’s General Data Protection Regulation . . . . . . . . . . . . . . . . . . . . . . . . .1
GDPR Program Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
GDPR Reminder Communication (Sample Notice) . . . . . . . . . . . . . . . . . . 6
Data Protection Officer Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
GDPR Data Protection Impact Assessment (DPIA) Review Tool . . . . . . . . 9
1
A Primer on Personal Data Breach Reporting Under the European Union’s General Data Protection Regulation
Data Breach ResponseUnder the new European Union privacy regime, the General Data Protection Regulation, a data controller must notify the competent regulator and a data processor must notify its data controller of a personal data breach without undue delay and where feasible not less than 72 hours after becoming aware of the breach, so processors and controllers in the U .S . that have cybersecurity insurance should ask their insurance brokers about endorsements that address the areas of exposure presented by the GDPR, the author writes .
By Melissa Krasnow
Melissa J. Krasnow is a partner with VLP Law Group LLP, in Minneapolis, Minn., and practices in the areas of domestic and cross-border privacy and data security, technology transactions, and mergers and acquisitions. Krasnow is a Certified Information Privacy Professional/US and a National Association of Corporate Directors Board Leadership Fellow.
This article concisely describes personal data breach reporting by data processors and data controllers under the European Union’s General Data Protection Regulation (GDPR) in the wake of the Article 29 Data Protection Working Party Guidelines on Personal data breach notification under Regulation 2016/679 adopted on Oct . 3, 2017 and as last revised and adopted on February 6 .
Data processors and data controllers in the U .S . that have cyber liability insurance or are contemplating the purchase of cyber liability insurance should ask their insurance brokers about endorsements that address the areas of exposure presented by the GDPR .
Personal Data Breach Reporting By a Data Processor and GDPR DefinitionsA data processor must notify the data controller without undue delay after becoming aware of a personal data breach . Art . 33(2) . Data processor means a person that processes personal data on behalf of the data controller . Art . 4(8) . Data controller means a person which, alone or jointly with others, determines the purposes and means of the processing of personal data . Art . 4(7) . Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed . Art . 4(12) . Personal data means any information that relates to an identified or identifiable living individual; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person . Art . 4(1) . Processing means any operation or set of operations performed on personal data or on sets of personal data, whether by automated means . Art . 4(2) . Data subject means a natural person to whom the personal data relates . Art . 4(1) .
2
Personal Data Breach Reporting By a Data ControllerA data controller must notify the competent supervisory authority of a personal data breach without undue delay and where feasible not less than 72 hours after the data controller becomes aware of the personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons . Art . 33(1) .
When a data controller assesses the risk that is likely to result from a breach, the data controller should consider a combination of the severity of the potential impact on the rights and freedoms of individuals and the likelihood of these occurring . As noted in the Guidelines, the European Union Agency for Network and Information Security (ENISA) has issued recommendations for a methodology of assessing the severity of a breach, which data controllers and data processors may find useful when designing their breach management response plans .
The data controller should consider the following criteria when assessing the risk to individuals as a result of a breach:
• the type of breach that has occurred;
• the nature, sensitivity and volume of personal data;
• the ease of identification of individuals;
• the severity of consequences for individuals;
• special characteristics of the individual;
• special characteristics of the data controller; and
• the number of affected individuals .
In the first notification, the data controller should inform the supervisory authority if the data controller does not have all the information required for reporting and subsequently will provide more details . Art . 33(4) . If it is not possible to provide the information required for reporting at the same time, the information may be provided in phases without undue further delay . Id .
When the notification by the data controller to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay, which is permissible if the data controller provides reasons for the delay . Art . 33(1) and . However, delayed notification should not be viewed as something that regularly takes place .
If in doubt, the data controller should err on the side of caution and notify . Id . There is no penalty for reporting an incident that ultimately transpires not to be a breach . Id .
The information required for reporting includes the name and contact details of the data protection officer or other contact point where more information can be obtained and a description of:
• the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and of personal data records concerned;
• the likely consequences of the personal data breach; and
• the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects . Art . 33(3) .
In certain circumstances, where justified, and on the advice of law enforcement authorities, the data controller may delay communicating the breach to the affected individuals until such time as it would not prejudice such investigations . However, data subjects would still need to be promptly informed after this time . Recital 88 .
3
A data controller must communicate the personal data breach to the data subjects without undue delay when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons and the data controller has not either:
• implemented appropriate technical and organizational protection measures which were applied to the personal data affected by the personal data breach and render the personal data unintelligible to any person who is not authorized to access it (e .g ., encryption) or
• taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize . Art . 34(1) and Art . 34(3) .
Where such communication of the personal data breach to the data subjects would involve disproportionate effort, there instead shall be a public communication or similar measure whereby the data subjects are informed in an equally effective manner .
The communication must describe in clear and plain language the nature of the personal data breach and include the name and contact details of the data protection officer or other contact point where more information can be obtained and a description of:
• the likely consequences of the personal data breach; and
• the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects . Art . 34(2) and Art . 33(3) .
There is a high risk to the rights and freedoms of individuals where the breach:
• may lead to physical, material or non-material damage for individuals whose data have been breached and such damage includes discrimination, identity theft or fraud, financial loss, damage to reputation, loss of control over personal data or limitation of rights, unauthorized reversal of pseudonymization, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned . Recital 75 and Recital 85; and
• involves personal data that reveals racial or ethnic origin, political opinion, religion or philosophical beliefs, or trade union membership, or includes genetic data, data concerning health or data concerning sex life, or criminal convictions and offenses or related security measures . Id .
The data controller must document any personal data breaches, comprising the facts relating to the personal data breach (including its causes, what took place and the personal data affected), its effects and consequences and the remedial action taken by the data controller . Art . 33(5) . It also is recommended that the data controller document its reasoning for the decisions taken in response to a breach .
Annex A to the Article 29 Data Protection Working Party Guidelines is a flowchart showing notification requirements and Annex B to the Guidelines provides examples of different types of breaches involving risk or high risk to individuals .
4
GDPR Program Checklist
By Patty P . Tehrani, Esq .
Step 1: Designate Data Protection Officer (DPO) – If required, designate DPO with the requisite knowledge, documented responsibilities, and sufficient
authority, budget, and access (reporting to the most senior level of management)
Step 2: Establish Project Team or GDPR Working Group – Identify stakeholders to execute measures to assist the DPO in assessing, developing, remediating, and
maintaining GDPR Program
Step 3: Deliver Awareness and Training – Keep employees, management, and as-needed third parties aware of GDPR requirements through
periodic notices and training on GDPR Program
Step 4: Evidence Governance and Accountability – Review and update privacy/data protection policies, procedures, and management reporting to ensure
compliance with GDPR – Document compliance with the GDPR’s six governing privacy principles
Step 5: Maintain Privacy Notices and Consents – Review how you seek, record, and manage consents and update as needed to ensure concise, simple,
transparent, and timely consents that can be readily accessed and withdrawn Note: Keep in mind special requirements for children – Review privacy notices to confirm GDPR-compliant content, delivery, and timing and update as needed
Step 6: Assess and Inventory Data Processing Activities – Regularly inventory data flow sources and conduct periodic Data Protection Impact Assessments for data
processing likely to be high risk to a data subject – Implement appropriate technical and organizational measures to show you have considered and
integrated data protection into your processing activities
Step 7: Maintain Data Breach Procedures – Maintain procedures for handling data breaches to ensure they are timely detected, reported,
investigated, and managed, as well as recorded
Step 8: Comply With Data Subjects’ Rights – Ensure your processing controls comply with data subjects’ rights to access, rectify, erasure, object, and
data portability and to lodge a complaint, among other rights
5
Step 9: Maintain Compliant Third-Party Engagements – Screen third parties and maintain engagements documented via contracts that integrate GDPR Program
requirements
Step 10: Maintain Program – Monitor and audit your GDPR Program regularly for compliance and update as needed to reflect changes
in regulations, operations, feedback, and review results
6
By Patty P . Tehrani, Esq .
To: All Employees
From: [DATA PRIVACY OFFICER]
Date: MM/DD/YY
Subject: Cybersecurity Program and Controls — Reminder
Relevant Policy: [COMPANY] Cybersecurity Controls Policy
We are issuing this important reminder on the EU General Data Protection Regulation (GDPR) . This regulation is far-reaching, and many functions within our organization are working on these changes and have already implemented or updated various controls in response . Keep in mind that GDPR is not a one-time project for our organization and rather an ongoing obligation so you should expect more information and guidance in the future .
To date, we have supplemented our existing controls to comply with the GDPR for our processing activities involving our European Union operations and to demonstrate the measures we have in place . These include:
• Appointing <insert COMPANY contact> to serve as our Data Protection Officer and to oversee our GDPR program .
• Updating our policies and procedures to factor in GDPR’s principles relating to processing personal data .
• Carrying out a periodic data-mapping exercise to gain a better understanding of the data we collect, process, and store, among other considerations .
• Conducting a data protection impact assessment if the processing is likely to be “high risk .”
• Safeguarding the rights of individuals regarding the processing of their personal data by providing them the right to access, correct, object, transfer, and erase their information, among other rights .
• Instituting measures that require consent for our processing activities, including to show how we collect consent and when, and that it was freely given and can be readily withdrawn .
• Updating our data breach protocols to address the GDPR’s notice and timing requirements .
• Updating our consent and notice requirements to meet the GDPR .
• Updating our third-party governance process to comply with the GDPR’s data-processing requirements .
• Ensuring our technology, including new initiatives, accommodates the GDPR requirements .
• Integrating the GDPR requirements into our monitoring and audit processes .
We take our responsibilities regarding processing personal data of individuals very seriously and recognize this commitment is an ongoing effort . Your understanding and support of this commitment are critical to our continued success .
If you have any questions regarding the GDPR or our program feel free to refer them to your manager, our DPO, or <insert mailbox and helpline for referral of such issues> for further assistance .
GDPR Reminder Communication
7
By Patty P . Tehrani, Esq .
Once you’ve determined the Regulation applies to you and identified your role (controller or processor, or both), your next step should be to appoint a Data Protection Officer (DPO) or some similar role . The CCO will appreciate having a point person oversee GDPR compliance efforts and, ultimately, the GDPR Program . Articles 37–39 of the Regulation cover the appointment, qualifications, and responsibilities of a DPO, as summarized here:
Appointment Appoint a DPO if: ✔ Your data processing activities involve regular and systematic monitoring of data subjects on a large scale ✔ Your data processing activities involve processing sensitive personal data on a large scaler or data relating
to crimes ✔ Local laws require it (for example, Germany)
Remember: ✔ You can appoint a single DPO to cover a corporation . ✔ You can designate an employee or an outside consultant . ✔ If you don’t have to have a DPO but want one anyway, know that a voluntary DPO is still subject to the
same requirements as mandatory DPOs .
Qualifications ✔ Is knowledgeable about the GDPR and any other relevant privacy and data protection laws ✔ Has sufficient understanding of business operations, as well as the information systems, data security, and
data protection needs of the assigned organization to carry out assigned responsibilities
Authority ✔ Receives appropriate resources ✔ Reports directly to the highest level of management ✔ Is protected from dismissal if carrying out responsibilities
Responsibilities ✔ Informs and advises on obligations under the GDPR ✔ Monitors compliance with the GDPR by the controller or processor ✔ Trains staff on GDPR ✔ Intermediates the relationship between the organization and relevant authorities ✔ Assists with queries from data subjects to exercise their rights under the GDPR ✔ Partakes in all aspects of data processing decisions undertaken within the organization to ensure his/her
opinion is factored into such matters
Note: The DPO cannot carry out any other responsibilities that conflict with his/her role .
Data Protection Officer Checklist
8
Keep in mind that if you decide not to appoint a DPO, make sure to document your reasoning just in case you need to respond to queries about your decision .
What should you do to prepare? ✔ Review the WP29 Guidelines on Data Protection Officers (WP 243) (the “DPO Guidelines”) . ✔ Determine if you need to appoint a DPO (if you decide against it, document your reasoning) . ✔ Assign and document DPO responsibilities .✔ Ensure that the DPO:
– has and maintains GDPR/privacy expertise
– receives appropriate resources
– reports directly to the highest level of management
– is protected from dismissal if carrying out assigned responsibilities
9
GDPR Data Protection Impact Assessment (DPIA) Review Tool
By Patty P . Tehrani, Esq .
The Data Protection Impact Assessment (DPIA) is a mandated by Article 35 of the EU General Data Protection Regulation (GDPR), which provides that:
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data . A single assessment may address a set of similar processing operations that present similar high risks .
It is a pre-emptive approach to assess the risks and apply corrective actions and mitigating controls before a breach occurs . These assessments are designed to assist with data protection obligations by identifying the risks associated with data processing and those posed to data subjects . If done properly, it enables a preemptive approach to assess the risks and apply corrective actions and mitigating controls before a breach occurs .
DPIA Review ToolUsing the regulation’s guidance and industry practices, this review tool (spreadsheet reproduced below) prepares collected data privacy status information for inclusion in a completed DPIA . It is recommended that you complete a DPIA for each required project and maintain this information for future reference or production .
The review tool is organized as follows:
• PROJECT OVERVIEW—use to provide details of the project
• SCREENING—complete preliminary questions to determine if a DPIA is required
• PERSONAL DATA INVENTORY—identify the compilation of the personal data to be processed and basis for processing
• EVALUATION—questions to help identify the risks with the details involved in the processing of the personal data
• RISK REGISTER—use this to document the types of risks based on the results of the other assessment sections and answers and indicate / identify the possible solutions and mitigating actions to identified risks
• REMEDIATION PROJECT PLAN—document the planned measures to remediate any identified risks and tracking the resolution of the mitigating measure
Processing• Complete each table in order if possible or complete those you want to use along with other relevant
assessments/information
• Edit and customize the sections as you deem appropriate for your organization’s operations
10
• Consult key stakeholders of your organization, including your assigned Data Protection Officer or similar role, in completing the assessment (make sure to document their review)
• Retain records of all assessments and results of these reviews
• Schedule future reviews to make sure the information remains current
Note: You can modify any of the data for columns that will have drop-down menu options and/or risk rating or impact levels to better align with your organization’s existing matrices .
Additional GuidanceFor additional guidance on the DPIA, refer to the (WP 248) (the “Impact Assessments Guidelines”) . These guidelines provide further clarity on the Article 35 requirements around Impact Assessments:
Refer to Article 35 of the Regulation which provides the situations and provisions for DPIAs and require those obligated under the GDPR to have processes in place to assess data protection risks and identify when a DPIA is required .
PROJECT OVERVIEW
Instructions:
1 . Answer all the assessment questions including “N/A” if not applicable .
2 . Provide as much detail as possible to ensure a complete assessment is made .
3 . Attach or include references to supplemental information that should be considered along with your stated responses .
Article 35(7)(a): The assessment shall contain at least:
a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
PROJECT NAME:
DPIA COORDINATOR:
DPIA COORDINATOR CONTACT INFO: Email:
Phone:
Location/Office:
DATE:
NOTE: Please refer any questions to our Data Protection Officer <ADD NAME & CONTACT> .
NO . REQUIREMENT COMMENTS
1 .1 DESCRIPTION (Provide a brief description of the project, the processing and describe what is being planned)
11
1 .2 OBJECTIVES (Provide the goals of the project)
1 .3 PURPOSE (Provide the purpose of obtaining and processing the data)
1 .4 DATES (Provide the critical dates for this project (expected launch, completion, etc .)
1 .5 LOCATIONS (Indicate all the locations that will be covered by the new project)
1 .6 POTENTIAL RISKS (Indicate if any potential risks to the personal data have already been identified)
1 .7 INPUT (Provide any feedback from stakeholders, third parties and employees (including the Data Protection Officer as applicable)
1 .8 REVIEWS (Indicate any other reviews, audits, or assessments carried out on similar processing activities that should be factored into this assessment)
1 .9SYSTEMS/TECHNOLOGY (Provide any relevant information if the processing involves new technology or systems)
1 .10OTHER (Provide any additional information that may be relevant to the impact assessment)
12
PROJECT SCREENING
Instructions:
1 . Try to complete each question .
2 . Add any new relevant question(s) based on the risk and/or processing operation you are assessing .
3 . Use these questions to help identify a need to complete a DPIA .
4 . Keep in mind that:
If you answer NO to all the screening questions, following consultation with your appropriate stakeholders (including as appropriate your organization’s Data Protection Officer) you may determine it unnecessary to complete a DPIA .
If you answer YES to one or more of the screening questions, then it is advisable for you to complete the remainder of the template, including the DPIA .
Keep a copy of this completed sheet along with your justification and any other relevant information for future use or document production .
Article 35 (7)(b): an assessment of the necessity and proportionality of the processing operations in relation to the purposes
COMPLETED BY: DATE:
SCREENING QUESTIONS
NO . REQUIREMENT RESPONSE COMMENTS
The project involve processing that entails: Select Y/N
2 .1 collecting personal data from individuals for the first time or new information from them
Select Y/N
2 .2 requiring/asking individuals to provide personal data
Select Y/N
2 .3 using personal data that is not currently used
Select Y/N
2 .4 seeking personal data that may raise high risk privacy concerns
Select Y/N
2 .5 disclosing personal data to organizations or people who have not previously not had access to the information
Select Y/N
2 .6 contacting individuals in new ways Select Y/N
13
2 .7 evaluating personal data Select Y/N
2 .8 processing that involves different categories of personal data
Select Y/N
2 .9 processing of personal data on a large scale Select Y/N
2 .10 processing that may create or impact legal effects concerning the individual(s)
Select Y/N
2 .11 processing that may impede data subject rights
Select Y/N
2 .12 making decisions or taking action that can have negative impact on individuals
Select Y/N
2 .13 involving individuals who are considered children
Select Y/N
2 .14 involving transfers of personal data across borders
Select Y/N
2 .15 creating potential risks for breach based on prior history or industry issues
Select Y/N
OTHER Any other project attributes to be considered? If yes, attach additional documentation .
Select Y/N
14
PERSONAL DATA INVENTORY
Instructions
1 . Answer all the assessment questions including “N/A” if not applicable .
2 . Provide as much detail as possible to ensure a complete assessment is made .
3 . Attach or include references to supplemental information that should be considered along with your stated responses .
Keep a copy of this completed sheet along with your justification and any other relevant information for future use or document production .
COMPLETED BY: DATE:
NOTE: Please refer any questions to our Data Protection Officer <INSERT NAME & CONTACT> .
Personal Data Type
To Be Collected (Y/N)
Purpose of Collection
Processing Activity COMMENTS
PERSONAL INFORMATION—GENERAL
3 .1 Name, such as full name, maiden name, or mother’s maiden name
3 .2 Date of Birth
3 .3 Place of Birth
3 .4 Alias Name or other name used
3 .5 Full Home Address
3 .6 Country, state, postcode or city of residence
3 .7 Marital Status
3 .8 Telephone numbers, including mobile, business, and personal numbers
3 .9 Information identifying personally owned property, such as vehicle registration
3 .10 Personalized vehicle number plates
3 .11 Number or title number and related information
3 .12 Passport Number
3 .13 Residence and geographic records
15
PERSONAL INFORMATION—DIGITAL
3 .14 Digital Identities, such as avatars, usernames/handles, Gamer IDs
3 .15 Email address (if private from an association/club membership, etc .)
3 .16 Login name, screen name, nickname, or handle
3 .17 IP addresses (when linked, but not PII by itself in US - it IS in EU)
3 .18 Geo-Tracking Data, Location based services
3 .19 Web surfing behavior or user preferences using persistent cookies
3 .20 Asset information, such as Internet Protocol (IP) or Media Access Control
3 .21 Address or another host-specific persistent static identifier that consistently
3 .22 links to a person or small, well-defined group of people
PERSONAL INFORMATION—MEDICAL
3 .23 NHS number
3 .24 Sick Days
3 .25 Information about Sick Leave
3 .26 Doctor’s Visits
3 .27 Medical Data
3 .28 Biological traits, such as genetic material
3 .29 Fitness Data
3 .30 Patient Reference Numbers (e .g . Patient Identification Number, Medical ID)
3 .31 X-rays, fingerprints, or other biometric image or template data (e .g ., retina)
3 .32 Scan, voice signature, facial geometry
3 .33 Medication
16
PERSONAL INFORMATION—BIOGRAPHICAL
3 .34 Age, if specific
3 .35 Photographic image (especially of face or another distinguishing characteristic)
3 .36 Gender
3 .37 Racial or ethnic origin
3 .38 Hair Color
3 .39 Defining Characteristics
3 .40 Eye Color
3 .41 Height
3 .42 Weight
3 .43 Biometrics
3 .44 Voter record
PERSONAL INFORMATION—EMPLOYMENT
3 .45 Social Security Number (SSN) / National Insurance Number
3 .46 Working Hours / Time Tracking
3 .47 Salary Information
3 .48 Job Position
3 .49 School, College, University, Workplace Names & Addresses
3 .50 Certificates / Testimonials
3 .51 Assessments / References
3 .52 Performance / Appraisals
3 .53 Tax Information
3 .54 Student Number
3 .55 Education Information, including grades
17
PERSONAL INFORMATION—FINANCIAL
3 .56 Financial Accounts, Institutions and Transactions
3 .57 Bank Information
3 .58 Salary Information
3 .59 Credit Card Numbers (especially Personal Credit Cards)
3 .60 Spending Habits, Transaction History, Debt Information
3 .61 Credit Score
3 .62 Pension
PERSONAL INFORMATION—OTHER
3 .63 Political opinions
3 .64 Religious or other similar beliefs
3 .65 Membership of trade unions
3 .66 Physical or mental health or condition
3 .67 Sexual life
3 .68 Convictions, proceedings and criminal acts
3 .69 Political opinions
3 .70 Ethnicity/Race
ADD ADDITIONAL TYPES
18
EVALUATION
Instructions
Answer each of the assessment questions with as much detail as possible to identify potential risks and issues at the start of the assessment . The responses can be used to help identify the risks to populate the DPIA .
Keep a copy of this completed sheet along with your justification and any other relevant information for future use or document production .
Article 35(7)(d): the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned
COMPLETED BY: DATE:
NO . QUESTION RESPONSE (Y/N)
COMMENTS
4 .1 You have a legal basis for processing the information
4 .2 You have identified all individuals/entities who can access the information
4 .3 You have defined restrictions to access the data
4 .4 You will require consent to process this information
4 .5 You have defined a process to obtain consent and facilitate withdrawals
4 .6 You have measures that will assure control over the data
4 .7 You plan on having the data encrypted and/or pseudonymized
4 .8 You have or will have a compliant destruction process for destroying the information if no longer needed
4 .9 You have identified the process for storing the data
4 .10 Your process is expected to uphold all rights of data subjects (i .e ., portability, objections, object, rectifications, erasure, access, etc .)
19
4 .11 You have a target date for supplying this information
4 .12 Your processing will require notice to the relevant Supervisory Authority
4 .13 You have identified the security measures to protect the data
4 .14 You have or will deliver training to the relevant staff and third-parties involved in the project on GDPR and special risks related to this processing
4 .15 You have identified the relevant stakeholders, including the Data Protection Officer, that need to be consulted in identifying the privacy issues and risks associated with this project
4 .16 You plan on transferring the data to a third-party
4 .17 You have identified safeguards that will be applied to transferring the data
4 .18 You expect that some or all of the personal data will be transferred outside the EU
4 .19 If yes, you have factored in the measures required by the GDPR for transfers of personal data
4 .20 Provide any other factors or information to assist in this Privacy Impact Assessment .
20
[CO
MPA
NY
] RIS
K R
EGIS
TER
Inst
ruct
ions
Ind
icat
e ty
pe
of r
isk
if p
roce
ssin
g w
ere
to p
roce
ed:
• In
div
idua
l Ris
k: r
isks
imp
actin
g d
ata
sub
ject
s (p
erso
nal d
ata
or
rig
hts)
• C
om
plia
nce
Ris
k: r
isks
that
rev
eal r
egul
ato
ry o
r co
mp
lianc
e ex
po
sure
• C
om
pan
y R
isk:
ris
ks th
at w
ill a
ffect
the
bus
ines
s (r
eput
atio
n, r
even
ue, fi
nes
and
san
ctio
ns)
Ind
icat
e p
oss
ible
miti
gat
ion
mea
sure
s to
red
uce
risk
to p
roce
ssin
g
Kee
p a
co
py
of t
his
com
ple
ted
she
et a
long
with
yo
ur ju
stifi
catio
n an
d a
ny
oth
er r
elev
ant i
nfo
rmat
ion
for
futu
re u
se o
r d
ocu
men
t pro
duc
tion .
Art
icle
35(
7)(c
): a
n as
sess
men
t of t
he r
isks
to th
e ri
ght
s an
d fr
eed
om
s o
f d
ata
sub
ject
s
CO
MPL
ETED
BY:
DA
TE:
CO
VER
S:
No .
DESCRIPTION
LIKELIHOOD
RISK RATING
CATEGORY
REMEDIATION
MITIGATING ACTIONS
CONTINGENCY
CONTINGENCY MEASURES
REVISED RISK RATING
TARGET DATE
RISK OWNER
#U
se e
valu
atio
n re
spo
nse
(Ver
y Li
kely
, Li
kely
, Unl
ikel
y,
Very
Unl
ikel
y)
(Lo
w,
Med
ium
, H
igh)
(Ind
ivid
ual,
Co
mp
lianc
e,
Co
mp
any)
1 . 2 . 3 . 4 . 5 .
21
REMEDIATION PROJECT PLAN
COMPLETED BY: DATE: COVERS:
ISSU
E
REM
EDIA
TIO
N
NA
ME
AC
TIO
NS
TO B
E TA
KEN
SCO
PE
PER
SON
R
ESPO
NSI
BLE
TAR
GET
DA
TE
CO
MPL
ETIO
N
DA
TE
STA
TUS
CO
MM
ENTS
# Provide Name/Title of issue to be remediated
Provide description of actions to be completed
Indicate Area/Function action applies to
Indicate Individual responsible for overseeing the action(s)
Provide expected date of completion
Provide actual date of completion
Indicate action status (No Action, In Progress, Completed)
Provide any additional comments /issues
1 .
2 .
3 .
4 .
5 .
Related ContentFor additional information, please consult the following Bloomberg Law resources:
William RM Long, Geraldine Scali & Francesca Blythe, EU General Data Protection Regulation, 550 Privacy& Data Security Practice Portfolio Series (BNA) .
Jack Quinn, et al ., Corporate Compliance: Building a World-Class Borderless Ethics Compliance Program,103 Corporate Practice Portfolio Series (BNA) .
Additional editing and content development by Bloomberg Law .
22
Access a full suite of Practical Guidance documents on Bloomberg Law.www .bna .com/eu-gdpr-practical-guidance/
Minimize the risks.Global news and timely insight on emerging issues.
Access a single-source solution that harnesses the
expertise of our editorial team and dozens of national
and global experts to deliver actionable intelligence that
equips privacy professionals with confidence to advise
clients and respond quickly to complex issues .
Request a complimentary trial at bna.com/privacy-data-security
© 2018 The Bureau of National Affairs, Inc . 0618 MKT-12542 04-1390