You may be all too familiar with your organization’s change-management process, the regular steps of review being used, and maybe even the exact wording of its requirements — some of which may have remained unchanged for years. Up until now, the focus of change management has been centered on the interests of the organization, naturally. But now, thanks to the General Data Protection Regulation, companies will not only have to account for privacy and security measures for themselves, but also for the individuals whose personal data exists on its information systems.
Data protection matters
If it’s determined that the GDPR applies to an organization, then it’s likely that the data protection impact assessment (DPIA) requirement has been mentioned as well. Here's what Article 35 regarding DPIAs states:
"Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks."
The takeaway? Any time new processing operations are being implemented, it’s a must to conduct a full assessment of how it will impact personal data protection. Within the new requirement, this stipulation is crystal clear: Organizations will need to find a way to build the DPIA into their processes consistently and continually. The question is, how can your organization adopt the DPIA requirement without causing a major disruption to service delivery?
What triggers a DPIA?
One of the biggest challenges for most organizations will be the integration of data privacy and protection into their longstanding product delivery model. A good starting point for most is to revisit your organization’s policies and procedures, and assess where a DPIA can fit in the change and risk management documentation.
Here are some of the circumstances that may prompt a DPIA, according to the GDPR, specifically:
Read More: iapp.org
About the Author
Kevin Kish is a Privacy Technical Lead with Schellman & Company, LLC. Prior to joining Schellman, Kevin worked as a IT Compliance Manager, specializing in IT Security and Data Privacy compliance frameworks, including ISO 27001, HITRUST, Privacy Shield and the General Data Protection Regulation. As a Senior Associate with Schellman, Kevin is focused primarily on data protection laws for organizations across various industries.More Content by Kevin Kish