Data Protection Impact Assessments (DPIA) is a mandatory process for building and proving compliance when data processing is likely to result in a high risk to the rights and freedoms of natural persons.
But conducting DPIAs is often a daunting task, especially in large organizations, with many processing activities and data supporting assets. As a result, they are not performed and updated as often as they should be, exposing businesses to fines both for not having a DPIA (the infamous 4%) and for not properly addressing privacy risks.
At Sypher we recognized this problem and designed a methodology to help privacy professionals conduct DPIAs in a simplified way, whenever they need one.
In this article we look at the approach for identifying and minimizing privacy risks, an important part of any DPIA.
How it works
First the platform allows you to define data supporting assets and identify potential threats and vulnerabilities. Then you can add details about existing or planned controls that mitigate them. And, based on the controls, assign a risk likelihood for each relevant privacy risk, on each data asset analyzed.
While the risk likelihood is managed at the level of data supporting assets, the risk severity is defined directly on the business process and is automatically transferred for each processing activity when it comes to the risk analysis process.
If needed, the assessor can overwrite the automatic risk likelihood and severity for each processing activity.
Based on this information, whenever you look at a processing activity, Sypher Suite draws information from every relevant data supporting asset and process to compile a risk assessment dashboard showing the data supporting assets, controls and risk levels for each privacy risk.
Similar with the GDPR registry and activities mapping, privacy impact assessments are not a one-time exercise, but a process which need to be regularly reviewed and monitored for relevant changes, to ensure that privacy risks are still adequately managed.
Sypher helps you keep the information up to date, by showing you changes that occur at various levels, so you know when to review the risk information for the affected processing activities.
Contact us for more information or start your free trial here.