European General Data Protection Regulation (GDPR)
This is the first major change to the EU’s data protection legislation in nearly 20 years.
Data Protection Impact Assessment
Also known as Privacy Impact Assessments, these are a way to assess the risk that customers face when their information is collected, utilized, and possibly disclosed by a business. The purpose of these appraisals is to find high risk areas that a company is expected to address and resolve.
While it is a good idea for all businesses to run privacy impact assessments and discover any potential weak links, not every company will be required to do so. This rule is mandatory for certain classes of businesses that have “high risk” processing. In fact, there are several GDPR rules that only apply if the company processes information that is thought to pose a “high risk” to the freedoms and rights of the person it pertains to.
Every company will need to examine their own processes and perhaps even consult an expert to determine if they are “high risk.” Common high risk activities include data processing that could result in identify theft, financial loss, or fraud. There are other categories as well, so make sure to contact a GDPR expert if your company is unsure of its standing.
For companies in the high-risk category, mandatory privacy impact assessments may be followed with a meeting with your supervisory authority. This meeting is optional for some organizations, and mandatory for others.
Depending on backlog, the wait for this meeting can extend the deadline of your GDPR compliance project. Therefore it is a good idea to get started on this step as soon as possible.