Managing personal data risks & conducting a data protection impact assessment under the GDPR
Before the adoption of the General Data Protection Regulation (GDPR), assessing the risks associated with processing personal data, in general, has not been mandatory under the Data Protection Directive (DPD). Although a risk-based approach is incorporated in the DPD regarding scientific research, data security and prior checking, this has not resulted into a standardized methodology for data protection risk assessment. However, the GDPR makes it mandatory to carry out a Data Protection Impact Assessment before engaging in any “risky” data processing.
This course will look at existing approaches in conducting a Privacy Impact Assessment (PIA) and the methodologies adopted by some data protection authorities such as the UK ICO, the French CNIL and the Spanish DPA. Recently, the Belgian DPA published a draft recommendation on DPIA and Prior Consultation for public consultation, and the Article 29 Working Party has issued Guidelines on Data Protection Impact Assessment (DPIA) as part of its efforts at explaining the provisions of the General Data Protection Regulation (GDPR).
More importantly, this course will look at the relevant provisions of the GDPR regarding the scope, processes and documentation of DPIA. In general, this course will be interesting for students who wish to grasp one of the core functions of a Data Protection Officer as provided for by the GDPR.