How to Jump-Start GDPR Risk Analysis

Ever since the General Data Protection Regulation (GDPR) was adopted in April 2016, there has been a barrage of scary articles and industry papers about the penalties and reputational damage that will ensue when the regulation comes into force in May 2018. But most of the articles simply recap the general provisions of the GDPR, instead of attempting to clarify them. Their only message seems to be that the GDPR “ bomb” will go off before you’re ready.

Small and medium-size organizations (SMBs) need to be ready when the new law comes into force in May 2018, because the GDPR cuts them no slack — it applies to every organization anywhere in the world that processes or stores data about EU citizens. But it can be hard for SMBs to know where to start. Compared to larger organizations, they often have less time and money to invest in getting it right, and are less likely to have compliance teams, data protection officers or legal experts to advise them what to do. Moreover, many SMBs are completely new to regulatory compliance and critical data security best practices, which makes them more at risk of cyber attack.

Fortunately, the same process can help your small business both comply with GDPR regulations and reduce the risk of data breaches: risk assessment. In this post, we’ll explore how the GDPR defines risk assessment and provide you with step-by-step instructions for implementing it.

What is risk assessment according to the GDPR?

Several provisions in Chapter IV of the GDPR specifically refer to risk assessment and data protection impact assessment. However, what counts as a “risk” is never defined, nor is there any guidance for establishing a risk assessment process.

The reason for this vague wording is that the GDPR applies to any organization that handles personally identifiable information (PII) of EU citizens, regardless of size or industry. Nevertheless, the GDPR is no “ticking bomb” or legislative barrier. In fact, other data security standards actually have much more rigorous approaches. HIPAA, for example, requires your risk assessment measures to live up to an external auditor’s expectations, and GDPR compliance audit failures can result in huge GDPR fines. In contrast, the GDPR grants freedom in adopting similar procedures — you just need to demonstrate that the risk-based approach you adopt is adequate to your organization type and is aligned with GDPR requirements.

Risk assessment is simply a set of security best practices that will strengthen your defenses and keep your business out of trouble

Risk assessment is something every organization needs to do, and it involves the following:

  • Accurately assessing your unique risk profile
  • Taking appropriate measures to mitigate the security risks you identify
  • Repeating the risk assessment and mitigation process on a regular basis

A Step-by-Step Guide for GDPR Risk Assessment

Let’s go over the basic steps that small and medium size businesses can do to adopt a continuous risk assessment and mitigation process:

1. Assemble the right team.

Make sure your team includes members from all areas in your company that have responsibility for managing or processing PII. Start by identifying the stakeholders — the people most likely to be affected by the GDPR. Usually this includes people in charge of handling customer relationships and the heads of marketing, HR, IT and legal. Also appoint a Data Protection Officer, who will have overall responsibility for GDPR compliance.

2. Review other compliance standards and frameworks.

Since the GDPR does not lay out specific procedures and precise definitions, use other compliance standards and frameworks, such as PCI DSS or the NIST Cybersecurity Framework, to help you get started. They may sound different, but they all have the same primary goal as the GDPR — protecting sensitive data.

3. Know your data.

Classify and control the data you collect and store. You need to know which data is sensitive, where it resides and who has access to it before you can begin to assess risks, respond promptly to auditors’ requests, spot security incidents and ferret out their root cases, and fulfill GDPR requirements such as data portability. Adopting a single platform for data governance and policy management will help you avoid fragmented data storages, which pose a great risk to data integrity and therefore regulatory compliance.

4. Identify your unique risks.

Identify the risks specific to your organization and classify them by both severity and likelihood using categories like high, moderate and low. Determine exactly what valuable assets could be harmed by each risk. Each organization will have its own unique set of risks and possible consequences, but a risk matrix can be a valuable cheat sheet to help ensure you don’t miss anything.

5. Determine your risk/benefit ratio.

While the GDPR does not provide guidance on how to evaluate and assign weight to various risks and harms, it states that the evaluation must take into account the balance between risk and benefit. Thus, the same risk can be scored differently by different organizations, depending how likely it is to occur and how much benefit mitigation measures would provide. “The processing of personal data should be designed to serve mankind,” the GDPR says, so, for example, if you need to store more personal data in order to benefit your customers, you can do so — just don’t forget to assess the necessity of processing that data and the risk it entails.

6. Repeat the risk assessment process continuously.

GDPR requires risk assessment to be an ongoing process. You need to constantly monitor new data, discover new risks, re-evaluate risk levels, take mitigation steps and update your action plan. To do so, you need visibility
into your controls, processes and practices, so you can ensure they are aligned with the
regulation’s requirements. For instance, you need to make sure you have insight into and control over access permissions, so you can minimize the risk that sensitive data will be accessed
by unauthorized people.

For now, the most reasonable advice is to adhere to the Guidelines on Data Protection Impact Assessment based on DPA 1998 and other sector-specific regulations. But stay tuned for further announcements.  The UK Information Commissioner’s Office (ICO), along with other data protection authorities in the EU, might well issue further guidance on risk processing activities as May 2018 approaches.

With the proliferation of new information technologies and the growing sophistication of cyber risks, risk management is more critical than ever. To protect your sensitive data efficiently and effectively, you need to know what risks pose the biggest threats to your organization and gain control over permissions and user activity. Continuous risk assessment will help you improve data security and achieve GDPR compliance.

Lear more about how you can prepare for the GDPR and avoid surprises in 2018 by watching this free webinar The Ocean Won’t Save You: the GDPR Implications for the US Business

Former General Manager EMEA at Netwrix. Matt holds a CISSP certification and has over 19 years of experience in the cybersecurity industry. He has worked for many organizations, specializing in areas such as risk management, identity and access management, and network and database security. In the Netwrix blog, Matt shares insights on how to achieve greater levels of security and compliance.