Data Protection Risk Assessment

According to the requirements of the General Data Protection Regulation (GDPR), data controllers and data processors must implement appropriate technical and organizational measures to ensure security at a level commensurate with the risk. Data protection risk assessment can help to choose the most optimal technical and organizational measures to protect data. The organization must assess the impact on the fundamental rights and freedoms of natural persons due to a possible breach of personal data security.

The risk assessment approach according to the guidelines prepared by the State Data Protection Inspectorate (SDPI)is based on the following four steps: 1) Determination of the data processing operation and its context; 2) Impact understanding and evaluation; 3) Identification of possible threats and assessment of the probability of their occurrence; 4) Risk assessment.

Security measures must help to manage risks effectively and in a timely manner, that is, where and when needed. Lack of appropriate technical and organizational measures may be considered an infringement of GDPR may result in administrative fines of up to 2 – 4%. the total annual worldwide turnover of the preceding financial year, or up to EUR 10 000 000 to EUR 20 000 000.

• We collect evidence and information
• We assess the information
• We define data processing operations and processed data
• We assess the impact on the fundamental rights and freedoms of natural persons due to a possible breach of personal data security
• We identify threats related to the personal data processing environment (external or internal) and assess the likelihood of their occurrence
• We identify and evaluate organizational and technical measures for personal data protection and their adequacy
• We assess the level of risk based on the results of the assessment of the impact of the personal data processing operation and the probability of the occurrence of the corresponding threat
• We prepare a plan of risk management measures to manage unacceptable risks

• A list of data processing operations and processed data has been prepared. A list of data processing operations and the data processed during them is prepared, determined – 1) What are the organization’s personal data processing operations? 2) What category of personal data is processed? 3) What is the purpose of processing? 4) What tools are used to process personal data? 5) Where is personal data processed? 6) What are the categories of data subjects? 7) Who are the data recipients?
• The impact on the fundamental rights and freedoms of natural persons due to a possible breach of personal data security has been assessed. Assessed impact (low, medium, and high) due to loss of data confidentiality, integrity, and availability
• Assessed risks to personal data protection. Threats related to the entire personal data processing environment (external or internal) have been identified and the probability of their occurrence has been assessed. The level of risk has been assessed, appropriate security measures have been chosen to ensure the security of personal data
• Risk assessment report prepared. A risk assessment report has been prepared, which describes the risk assessment methodology and the results of the risk assessment
• A plan of risk management measures has been prepared. A plan of risk management measures designed to reduce the level of unacceptable risks has been prepared

• Personal data protection gaps, threats and risks affecting the fundamental rights and freedoms of natural persons due to a possible breach of personal data security have been identified and assessed
• A plan of risk management measures (priorities of measures and implementation calendar schedule) has been prepared for unacceptable risk management, which helps to properly manage personal data protection risks
• Sufficient (proportional to the identified risks) technical and organizational measures are planned in time
• Ensured compliance with GDPR requirements

• A Compliance Assessment Project Has Been Implemented in the State Tax Inspectorate
• A Compliance Assessment Services for Government Information Resources and Communications and Information Systems Managed and Managed
• National Health Insurance Fund User Identity and Rights Management and User Registration and Control System Implementation Project
• Independent Electronic Health Services and Collaboration Infrastructure Information System (ESPBI IS) Security Audit Project of SE Center of Registers