Do you have what it takes to make the risk assessment?

5 lessons from GDPR for your next Risk Assessment Report

With guidance from the Danish DPA 

In November alone, four out of eleven inspections from the Danish Data Protection Agency revolved around “risk assessments in security processing”. Since the implementation of GDPR,  companies have been holding their breath over where scrutiny will be applied by local DPA’s. Here are 5 things we learned so far.

Article 32 GDPR – why bother with a RAR?

If you don’t have a RAR (Risk Assessment Report) yet, you should. The requirement of conducting a risk assessment report is found in several articles in GDPR including article 32. Article 32 addresses the security of processing and requires: 

‘’(…) the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk’’

Furthermore, the considerations about the risks should include those that occur when processing data, in particular: 

  • accidental or unlawful destruction of data
  • loss of data
  • alteration of data
  • unauthorized disclosure of data, or 
  • access to personal data transmitted, stored or otherwise processed. 

All of this with the data subject in mind – that is the customers/business partners/workers or anyone else dealing with the company, where personal data is relevant. 

The RAR as a business enabler

In order to be GDPR compliant with regards to data risks, the Risk Assessment Report is introduced as a tool to show the DPA what considerations and thoughts have been made and to ensure that a risk-based approach is taken. The mantra within the GDPR community goes: If it’s not in black and white in the RAR, it’s not done.  

While the purpose of the regulation is to ensure the rights of the subjects the RAR actually creates an opportunity for companies to benefit as well. That is if the framework of the report is right. 

The common problems of drafting a RAR 

For all of those working with GDPR, the RAR can be a bit of a challenge. Not only because it seems like an impossible task to foresee all possible events of a data breach but also because of the uncertainty of what and how the DPA is going to demand when they come to audit. 

Even if the DPO, the CISO or the responsible entity within the organization will keep an eye on the latest statements from the DPA, it will still be a challenge to constantly change the framework of how the RAR is composed. Even after two years of the GDPR being in effect, companies are still not sure about the above-mentioned topics. Can we find a common thread in two years of scrutiny? 

The light at the end of the tunnel 

Danish authorities quickly realized that companies were taken by surprise when being investigated. So, they have issued some guidelines that can be helpful to have considered in advance of an investigation. The guidelines are Vejledende tekst om risikovurdering and Behandlingssikkerhed – Databeskyttelse gennem design og standardsindstillinger

The first mentioned focuses on identifying the risks and how to compose the right RAR framework. Main takeaways include how to conduct: 

  • An assessment of the consequences of a breach of data
  • An assessment of threats
  • An assessment of vulnerability, and finally 
  • The risk profile, which is composed of
    •  (risks x probability) – existing measures = the risk

These guidelines will serve as a great help as to how the report itself should be composed. The other guidelines are helpful as to how to identify the right measures to impose and how to implement them in practice. Furthermore, it offers a guide as to how data protection by design and default will help ease the work in the future by implementing a proactive approach throughout the organization. 

Learning from others mistakes 

The guides should serve as a great directory but there really isn’t a greater teacher than past mistakes. 

In one of the latest cases of the Danish DPA, an office community of law firms had drafted a risk assessment report but hadn’t included any thoughts regarding “encryption on the transport layer via TLS” when sending out emails that contained personal data to their clients. Since there was no RAR that included these considerations, it resulted in criticism from the DPA. 

This case is not only important because it gives a heads up to companies as to what to remember to consider in their RAR. It’s also important because it shows as to what extent IT and law need to walk together hand in hand in order to be compliant. 

If you’re from a legal background reading this and ‘’the transport layer via TLS’’ does not ring a bell, you better call up your IT department and get them on board of GDPR because this is part of being compliant.

Instant reports and “Dynamic presentation”

All aspects need to be interconnected in order to create adequate reports that will meet the requirements of the DPA, and be value-creating for the business. Start with connecting:

  • Systems
  • Activities
  • Processes, and
  • Third parties 

and continuing to further interconnect data, policies and procedures, legal background, retention rules, information obligation, data subjects, and last but not least technical measures in IT security. This will ensure not only a compliant RAR but also benefit the organization in its daily GDPR work and make data protection by design and default a whole lot easier to implement. 

It is not humanly possible to have manual control over this, so we look at the tech industry for answers. Excel has long been our trusted friend in all things data. Recent cases have however proven that this will not cut it. A static presentation is not versatile enough to meet the high standard the DPA sets for GDPR compliance. 

The High Tech solution 

When looking for a system that will make the mark, make sure it makes the connections between the above-mentioned aspects. To be truly prepared, companies need to be able to create reports from different angles about the same subset of data. As soon as this becomes a reality, the right framework will always be available as it becomes dynamic and can be molded to match any requirements from the DPA. This is where the RAR can go from a zero to truly become a hero!

Keep an eye out for our blog to learn more about the development of our framework. We help set the standard for compliance. We help – you comply.