Were you unable to attend the last webinar on New Risk Guide and impact assessment of the Spanish Data Protection Agency? Don't worry, in this post We summarize the keys to this webinar and the aspects we address.
Elias Vallejo Grande, Senior Consultant in Data Protection and Criminal Compliance, has accompanied us during this interesting event, from which we highlight the following conclusions:
- It is time to forget previous guides on the same topic and start working with this new tool, since it incorporates important news.
- Risk management should not be approached as a list of regulatory compliance, but rather the risk must be analyzed based on the treatment, its own circumstances and its impact on the rights and freedoms of the interested parties.
- In risk assessment, it is necessary evaluate what impact it may have for the individual and society, since there are gaps whose social impact makes it more difficult to minimize risks.
- The impact on fundamental rights and freedoms should not be limited to data protection and privacy, but to other fundamental rights, such as association, assembly, life, equality, etc.
- The responsible It cannot and should not be limited to treating the risk factors explicitly identified in the regulations.. In risk management, we must go further and, during the analysis phase, also identify and evaluate those risk factors that derive from the specific treatment, both based on its nature, scope or extension or the purposes it pursues, as well as in those others that derive from the context, for example, the present and future context of the treatment and the internal and external context of the organization.
- The option to transfer the risk disappears. The obligation to guarantee rights and freedoms rests with the person responsible for the treatment, so this option of transferring the risk is impossible.
- In the risks related to security breaches, three new dimensions are added to the five traditional dimensions: failures in privacy guarantees, resilience and errors in technical operations.
- The risk factors are merged with the assumptions where it is necessary to perform a DPIA. In the positive list it is mentioned that, as a general rule, if two cases occur, DPIA must be carried out. In this new Guide, with only one element it is already required to do DPIA.
- For most threats, a previously defined risk is established, without quantifying probability by impact.
If you liked this webinar, follow us on Linkedin and stay informed of all our events. In addition, we recommend that you subscribe to our newsletter, so as not to miss any of our interesting posts.
