Data Privacy Impact Assessment: A GDPR Requirement for HR cloud solutions too
You need to start now.
There is an increasing use of personal data on the internet. Usage of personal data creates significant advantages for both companies and individuals. For companies new technologies and the use of personal data creates a competitive advantage. For individuals there is an expectation of getting personalized service and communication. Personal data is widely used – from CRM systems to HR systems such as SAP SuccessFactors.
At the same time there is an increasing focus on protecting personal data – one of the initiatives is upcomming GDPR from the European Union to take effect May 2018 in all member states
It requires your company to ensure your processes and systems are prepared so your company will remain compliant after the new rules takes effect.
Like everything else this can be designed and engineered in various ways; if you strive for an agile approach that is not overengineered but tailored specifically to your SuccessFactors solution, let us know.
If you have not performed or planned to perform a data protection impact assessments – there is no time like the present to get started. The assessment is a systematic process to assess privacy risks to individuals in the collection, use, and disclosure of their personal data. Specifically, data controllers must conduct DPIAs where privacy breach risks are high so that the risks to data subjects are minimized.
What is the purpose of a data privacy impact assessments?
The GDPR introduces DPIAs as a means to identify high risks to the privacy rights of individuals when processing their personal data. When these risks are identified, (which we’ll explore in more detail later in this blog series), the GDPR expects that an organization formulates measures to address these risks. Those measures may take the form of technical controls such as encryption, pseudonymization or anonymization of data.
Impact assessments, like security assessments, provide a good foundation to assess the potential and ongoing risk of systems and data flows within them. Privacy and data security teams can then recommend and monitor appropriate controls.
When should you conduct a data privacy impact assessment?
The impact assessment should happen before you start processing personal data. It should focus on topics like the systematic description of the processing activity and the necessity and proportionality of the operations. Ideally, impact assessments should always be done any time that you will be working with data that creates high risk to individuals. In reality, the DPIA process may be used to help determine whether or not this is the case. So, in practice it’s a very good idea to make them a standing operating procedure for your privacy by design programs.
How can you use data privacy impact assessments?
Beyond checking a box toward regulatory compliance, DPIAs allow your data protection officer to develop a service level agreement (SLA) with their colleagues in IT and the business. DPIAs can be incorporated as part of the standard process of concept planning, development, test and deployment as well as ongoing monitoring. They also allow privacy teams to implement privacy by design and by default and a risk-based approach to data protection – which are both key components of the GDPR.
A good DPIA process can also scale the impact of what are typically small privacy organizations to match their larger counterparts in IT, security, and the business. Privacy can then be a core part of standing operating procedures – instead of seen as a hurdle to deployment.
For more information or questions please contact Sales Director Ole Andersen on either e-mail or phone no. +45 2387 0600.