They should also address risks resulting from failures in the security of processing under Article 32 GDPR, including accidental events (human errors, system vulnerabilities) and unlawful events (cyberattacks, unauthorized access, ransomware).
An interesting question arises:
Can a high impact resulting from security of processing, by itself, trigger a DPIA?
There are two scenarios:
- Where a DPIA is already mandatory under GDPR or national law, security-related risks form an integral part of the DPIA.
- Where a DPIA is not expressly mandatory, but a confidentiality, integrity or availability failure could result in significant harm to individuals (e.g. financial loss, blacklisting, loss of employment, deterioration of health), the assessment of security of processing risks may indicate that the processing is “likely to result in a high risk” to individuals, thereby triggering the need for a DPIA. For example: in case when there is no large scale of processing of health data, but there is a high impact resulting from security of processing, whether DPIA shall be carried out or not. And whether the DPIA may solve the high risks resulting from the security of processing?
In practice, security of processing and DPIA are often two sides of the same coin: the former identifies how data subjects may be harmed, while the latter may determine whether additional safeguards are required to reduce those risks.
Mastering this field of Data Protection Ivan Milošević, Partner in JPM Belgrade office is giving us the analysis on the topic above.
