The guiding principles of the General Data Protection Regulation stimulate organizations to address the issue of compliance with an approach based on continuous risk assessment.

The correct implementation of a GDPR compliance model obliges organizations to review the bureaucratic and paper-based approach adopted so far, especially in Italy, to monitor the issue of privacy and to arrive at a concept of accountability.

Technological innovation continually proposes new tools for an increasingly connected planet, but at the same time exposes personal data to new threats and, more generally, precious information assets, even critical infrastructures, are now exposed to the cyber threat.

Think of the explosion of the cloud model and of all the organizational, compliance and security implications connected to the diffusion of biometrics, graphometric devices, profiling, often embedded in web site development, and the tumultuous development of IoT, which, according to the most conservative estimates, will interconnect more than 50 billion devices in 2020. These models must be well understood by evaluating their adoption from time to time, balancing the possible real benefits they bear with the risks of violating privacy connected to their use.

The physical security market rightly takes advantage of continuous innovation, sometimes radically changing the classic solutions (video surveillance, access control, alarm systems) or introducing new ones (biometric solutions).

The most appropriate response to support the profound changes required by the GDPR is the implementation of a privacy management model (PMS, or privacy management system), hopefully integrated with the other business management systems, adopted to guarantee the company the compliance with voluntary certification schemes or compliance with mandatory regulations.

One of the "engines" of the PMS is the data protection impact assessment process.

Disciplined by Article 35 of the GDPR, it has the objective not only to guarantee data security, but above all, to identify the specific privacy risks of the treatment.

A DPIA consists of a procedure aimed at describing the treatment, assessing its necessity and proportionality, and facilitating the management of risks for the rights and freedoms of individuals deriving from the processing of their personal data (through the assessment of these risks and the definition of appropriate measures to address them).

In the case of companies in the security arena, a careful balance between security and privacy is at DPIA stage in order to evaluate from the beginning the necessity and proportionality of a certain treatment and then assess the risks towards the freedom of the people.

The DPIA is therefore an important tool in terms of accountability, as it helps the owner to demonstrate the adoption of appropriate measures to ensure compliance with these requirements.

The privacy impact assessment should always be conducted, even if the conditions foreseen by the GDPR can be configured to be able to avoid this obligation.

It must in fact prevail a vision on the part of the owner, who embraces the risk in a broad way, internalizing, in all the folds of the organization, the risk-based approach. In the same way, before starting any project, the costs and possible benefits evaluation is performed through the business plan, it is desirable that before starting a treatment of personal data, the privacy risks are evaluated as well, through the DPIA, for the purpose of mitigating them.

For Article 35 (3) of the GDPR, the DPIA is required in the case of "... large-scale systematic surveillance of an area accessible to the public."

The security sector services should therefore always be evaluated with the lens of the DPIA.

It is important that the risks to the interested parties are identified (not just the data breach impacts, but also considering the intrinsic risks of the processing which, even if safe and with a low exposure to risks of violations, could violate the privacy of the data subject). Therefore it is convenient to extend the analysis to compliance risk and risks related to the organization, since the privacy risks towards the interested party usually have associated risks of compliance and towards the organization.

The organization should then identify the actions to be implemented to counter the risks, bearing in mind that the realistic objective of the DPIA is to reduce the risk to an acceptable level, not to completely eliminate the privacy impact. Once again, the focus is on privacy, not only on data.

The impact assessment phase determines what the consequences could be for the data subjects and therefore for the organization if the personal data processed lose one or more of the security requirements that characterize them (CIA characteristics), due to:

  • Unauthorized access or undue disclosure (C - confidentiality).
  • Accidental or undue alteration of the information (integrity).
  • Unavailability of information (availability).

Normally, the organizations determine as a strategic choice what is called acceptable risk. This makes it possible to develop a plan of interventions, giving priority to those relating to events that present an estimated level of risk being greater than acceptable risk. It is in this phase that it is decided whether the levels of residual risk are acceptable or require mitigation, possibly consulting the supervisory authority (in the cases envisaged by the so-called prior consultation, Article 36.1 of the GDPR).

The main output of the DPIA is the action plan, which clearly consists of a registration of the PMS and a support for accountability. It allows the opportunity to define a shared plan of the measures to be taken, the responsibilities of execution and verification and therefore of the assumption by the top management of the awareness of residual risk connected to the treatment in question.

Training of people authorized to process personal data may be one of the risk mitigation measures to consider when conducting a DPIA. If its effectiveness is recognized in this sense, it must become an input to the corporate training process, always with a view to integrating the PMS with the organization's processes.

Another measure normally identified consists in strengthening the security linked to the CIA characteristics of the information processed, relative to the assets involved.

Also the consolidation of the supply chain supervision is one of the measures that are effective in order to mitigate the risks connected to the processing of personal data.

Finally, the use of legal advice to prevent possible illegal treatment is a useful measure that could be suggested in the early stages of a DPIA process.

photo credit: Got Credit via photopin