La Agencia Española de Protección de Datos (AEPD) recently published guidance for organisations on how to assess the risks involved in personal data processing operations (42-page / 8.89MB PDF). It also updated existing guidance on conducting data protection impact assessments (DPIAs) (66-page / 9.47MB PDF).
Both pieces of guidance are designed to support businesses with their compliance with the General Data Protection Regulation (GDPR), which will apply from 25 May 2018, said Madrid-based Paula Fernández-Longoria of Pinsent Masons, the law firm behind Out-Law.com.
The GDPR will introduce a new approach to the way businesses should consider the security of personal data, Fernández-Longoria said.
"The General Data Protection Regulation requires data controllers and processors to assess the risk the processing operations may raise in order to implement adequate security measures," she said. "This means a change to a more dynamic model where data controllers and processors shall continually ensure that the adequate security measures are implemented."
"To guide data controllers and data processors the Spanish data protection authority has issued guidelines on how to carry out a risk assessment. These are aimed at defining the security measures that must be applied in relation to each processing operation," Fernández-Longoria said.
"The Spanish authority recommends the registry of processing operations as starting point for the risk assessment and includes a number of templates to carry out the risk assessment procedure, including questions on the type of data processed, and the purpose of the processing. The guide also includes a template to assess the life circle of the personal data from the moment the personal data is collected to the moment the personal data is destroyed," she said.