Risk analysis in the GDPR: Arts. 24 and 35

Different risk analyzes in the GDPR

By Elias Vallejo, teacher "Data protection and information systems audits" in it Master in Compliance & Data Protection Management of the EIP International Business School wanted to share with us a study analyzing the different risks in the RGPD, pointing out that the risk analysis in the RGPD is present in 3 cases.

1. Art. 24– Responsibility of the Data Controller and Art. 35 Data Protection Impact Assessments
2. Art. 32– Security of Treatment
3. Art. 25– Data protection by design and by default

In this first post of our Blog Specialists in Data Protection & Regulatory Compliance tells us about him Art. 24 Responsibility of the Data Controller and about him Art. 35, Data Protection Impact Assessments.

We leave you the post by Elías Vallejo,

Art. 24.- Responsibility of the Data Controller and Art. 35 Data Protection Impact Assessments

As for the art. 24 of the GDPR, the nature, scope, context and purposes of the processing are taken into account, as well as the risks of varying probability and severity for the rights and freedoms of natural persons, for which the data controller will apply technical and organizational measures. appropriate for the purpose to guarantee and be able to demonstrate that the treatment is in accordance with this Regulation.

This idea of “demonstrating that the treatment complies with this Regulation” is the scope of this risk analysis. It should be noted that it is the most comprehensive risk analysis of the 4 mentioned and which are the subject of study in this article.

It is therefore a matter of demonstrating that everything established in the Regulation is complied with and to do so we must go carefully, article by article of the RGPD, to know how to consider that it complies with the Regulation and detect non-compliance with those obligations established in the articles of the RGPD. , to consider them as threats to evaluate.

However, to limit these threats, there is already work done by the AEPD in the “Regulatory Compliance List” that was published at the time or, failing that, we can identify minor, serious and very serious violations of the LOPDGDD as threats.

Risk analysis pathways

This explanation, up to this point, is easy to assimilate in the part of compliance with legal obligations, but it leaves a wide range of threats in the technical section, since the description of these threats in both documents is very generic.

To analyze these technical threats, we refer to art. 32 of Security of Treatment that we will see later.

On the other hand, it should be noted that this risk analysis is reached in two ways:

1. Good, because it is an existing treatment
2. Good, because being a new treatment, after carrying out an analysis of the need to carry out an Impact Assessment (hereinafter, Pre-PIA), the conclusion is reached that it is not a high impact treatment and, therefore, This risk analysis is carried out on said treatment (and not the Impact Assessment)

At this point, it must be clarified that the information contained in the Agency's Risk Analysis and DPIA Guides is far from the “Gestiona” application. In this application, the Risk Analysis is calculated with the equation Risk = Probability x Impact, being a copy of what a DPIA would be. There is no difference. However, in the Risk Analysis Guide, it is indicated that in these cases (and unlike the DPIAs), the risk that affects an organization is identified and, on it, controls are proposed; without having to go through an intermediate stage of risk analysis using the probability by impact formula.

Differentiating elements

This contradiction is generating different interpretations. On the one hand (the most technical ones), they believe that “Manages” is the correct interpretation, considering that all risk analysis must include the formula Risk = Probability x Impact, considering the interpretation of “Risk Analysis Guide” by eliminating the intermediate stage of risk analysis itself.

This current considers the following as differential elements:

• The Risk Analysis methodologies themselves cannot omit the risk assessment stage
• Manage endorses that position.

On the other hand, there are those (the most legal ones) who defend that the reasoning of the Guide is what should prevail, since if a Pre-PIA is carried out on each treatment it is to determine whether the treatment is high impact or not. If it is of high impact, a DPIA must be done; Otherwise, a risk analysis must be carried out. If in the end it is decided that the methodology of both is the same, it does not make sense to do a Pre-PIA.

We must also abandon the idea that all risk analysis must include the formula of Risk = Probability x Impact, since when privacy risks are analyzed from the design and by default (as we will see later) this formula is not used.

Delving into the idea that Risk is not equal to Probability X Impact, the considering 78 of the GDPR establishes: “The likelihood and severity of the risk to the rights and freedoms of the data subject must be determined with reference to the nature, scope, context and purposes of the data processing. The risk must be weighed on the basis of an objective assessment by which determine whether data processing operations pose a risk or whether the risk is high.”.

That is, you only have to know if, first of all, if the risk exists (identify it) and, if it exists, know if the risk is high (this is done through the Pre-PIA). Nothing is said about having to quantify it.

It should be noted that Impact Evaluations would only study the need for new treatments and not existing ones.

Do you want to specialize in Compliance Management and data protection?

He Master in Compliance & Data Protection Management will make you a highly qualified professional with the necessary skills to carry out specialized tasks in two of the most relevant areas for both private businesses as for public administrations: data protection and regulatory compliance or Compliance.