One of the main goals of the new Data Protection Regulation is to make the enforcement of data protection legislation more efficient. This can be seen in the fact that national supervisory authorities have been granted the power to impose very large fines for unlawful data processing.
Almost all companies process personal data, which makes them data controllers obligated to comply with data protection legislation. In this respect, the new regulation makes data protection a part of corporate risk management on an entirely new scale. In order to ensure that they identify, manage and minimise these risks properly and efficiently, companies must look beyond their own business risks and keep in mind whose risks they are really dealing with.
Data Protection Risks Are Individual Risks
The purpose of personal data legislation is to protect the rights of individuals—you, me, everyone—to data privacy. The risk that personal data will be abused also primarily affects individuals. If you look at the numbers, the legislator has really spelled this out in the new regulation: the word ‘risk’ appears in the new regulation about 70 times—a ten-fold increase over the current Data Protection Directive.
The Data Protection Regulation emphasises the data controller’s duty to plan its data processing procedures in such a way that the risks on the level of individuals are taken into account proactively. This requires more of companies than just incorporating data protection risks into their existing risk management processes—risk awareness needs to be present in data protection work that data controllers engage in on every level.
Without making an assessment of the potential effects on individuals, the effective implementation of data protection legislation is impossible. How can companies choose the correct legal grounds (such as determining whether the data controller’s legitimate interests are in balance with the rights of individuals) or determine the proper level of data security without knowing what the risks to the individual are?
According to the principle of privacy by default, companies need to identify and account for risks to individuals well before starting to process data. Companies should adopt some kind of privacy impact assessment to systematically assess and document the risks relating to data processing.
One of the major changes being brought by the new Data Protection Regulation is accountability. It is no longer enough that a company’s actions are compliant, they have to be able to demonstrate it. The risk management methods mentioned above are a key part of fulfilling this obligation.
Systematic data protection procedures that take the risks to individuals into account will not only shield companies from fines and other penalties, but maintain the public’s trust in the company. This trust then forms the foundation for the next step, in which data protection ceases to be a risk and becomes a business opportunity. This should be the long-term goal of every company.