Recital - 74.
Responsibility and Liability of the Controller
Executive Summary
Invest in IT security systems and personnel.
Quick Wins
Invest in IT security systems and personnel.
Recital Text
The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf should be established.In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures.Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.
Recital - 75.
Risks to the Rights and Freedoms of Natural Persons
Executive Summary
Processing data poses a variety of risks to the Data Subject and to the Processor.
Recital Text
The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymization, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.
Recital - 76.
Risk Assessment
Executive Summary
Risk assessment is required for all processing activities.
Recital Text
The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.
Recital - 77.
Risk Assessment Guidelines
Executive Summary
At some future date, the Board may also issue guidelines on processing operations.
Recital Text
Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer.The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.
Executive Summary
Risk management processes are established, managed, and agreed to by organizational stakeholders. The program should address assessment scope and frequency, risk ratings, finding and exception process, as well remediation guidelines.
Article ID: 334
Created: September 27, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/gdpr-responsibility-of-the-controller-risk-management-program-334.html