NEWS
Infographic showing personal data fields (name, addresses, IDs) linked to a silhouette, emphasizing confidential data and identity security.

Impact of Security of Processing on Personal Data and DPIA: Correlation

The EDPB's proposed DPIA Template and Explainer provide an important clarification: DPIAs are not limited to risks arising from the intended processing of personal data.

They should also address risks resulting from failures in the security of processing under Article 32 GDPR, including accidental events (human errors, system vulnerabilities) and unlawful events (cyberattacks, unauthorized access, ransomware).

An interesting question arises:

Can a high impact resulting from security of processing, by itself, trigger a DPIA?

There are two scenarios:

  • Where a DPIA is already mandatory under GDPR or national law, security-related risks form an integral part of the DPIA.
  • Where a DPIA is not expressly mandatory, but a confidentiality, integrity or availability failure could result in significant harm to individuals (e.g. financial loss, blacklisting, loss of employment, deterioration of health), the assessment of security of processing risks may indicate that the processing is “likely to result in a high risk” to individuals, thereby triggering the need for a DPIA. For example: in case when there is no large scale of processing of health data, but there is a high impact resulting from security of processing, whether DPIA shall be carried out or not. And whether the DPIA may solve the high risks resulting from the security of processing?

In practice, security of processing and DPIA are often two sides of the same coin: the former identifies  how data subjects may be harmed, while the latter may determine whether additional safeguards are required to reduce those risks.

Mastering this field of Data Protection Ivan Milošević, Partner in JPM Belgrade office is giving us the analysis on the topic above.

author avatar
JPM Law Office
Scroll to Top

Privacy Policy

Law firm Janković, Popović & Mitić Beograd takes care of your privacy. As a controller and in accordance with the Law on Personal Data Protection and other applicable personal data protection regulations, we are obliged to provide you with information related to processing of your personal data.

We use cookies to help improve your experience of our website by measuring how it’s used.

Read our Privacy & Cookie policy for more information.

This Privacy Notice describes which personal data we collect from you and in which manner, how we use and share your personal data. It contains information on purposes and legal grounds for processing, on the time period in which we store your personal data, the manner we protect this data as well as on your rights.