Data Protection Services at KINAST
GDPR Risk Check
A GDPR risk check is a process by which an organization can assess its compliance with the General Data Protection Regulation (GDPR). The check identifies areas of risk for the organization and provides recommendations for mitigating those risks.
What is a GDPR Risk Check?
The GDPR formulates essential principles that any company needs to take into account when it comes to the processing of personal data. For example, you should limit processing to its intended purpose. Further principles also arise, for instance, in relation to the integrity and confidentiality of the data.
A GDPR compliant data protection policy should be implemented that contains all relevant information concerning the purposes and means of processing personal data. This includes provisions on the rights of the data subjects, description of the technical and organizational measures as well as contact persons for any questions related to privacy.
A proffesional risk check determines your company’s processing operations in detail and identifes risks for the above-mentioned principles and for the respective data subjects. Moreover, it defines countermeasures by means of technical and organizational measures.
Our Consultation Process
Introduction of your company and KINAST as well as the relevant contact persons. Discussion of the current data protection setup and most important data protection topics.
We conduct data protection audit on-site or based on questionnaires to evaluate the current data protection status of your company.
Document the current data protection status and define further required actions if necessary.
We carry out all necessary measures identified during the data protection audit.
Designation as External data protection officer and on-going consultation starting from day 1.
How do we perform a GDPR Risk Check?
During a risk check, our team would first assess which processing operations you carry out in your company. Alternatively, you can also assign us to check individual processes that you have already selected for a risk analysis.
Our best approach is to work with your Records of Processing Activites (ROPA). The ROPA presents, for instance, which categories of data from which data subjects you process. It also becomes apparent whether you process data that requires special protection, or even if you transfer data to third parties or (unsafe) third countries. Through our evaluation, we make the processing operations comprehensively visible for further analysis.
We then perform an analysis which risks come into consideration for the protection of the above-mentioned principles regarding the respective processing. The analysis includes the possible types of damage (e.g., financial or reputational damage), damage events (e.g., data breaches) and sources of risk (e.g., the error of an employee). We also consider the potential extent of damages and the probability of occurrence. After analysing these issues, we create an overview of the possible / existing risks for the company or for a processing activity.
GDPR Risk Check: Benefits
Duration of a GDPR Risk Check
The duration of a risk check depends very much on the individual case. The number and extent of the processing operations concerned play a major role. At the same time, it is a process that you should repeat at regular intervals, since processes can change from time to time and new tools could lead to a different risk assessment. For more detailed information, see the FAQs below.
What makes KINAST the best choice for an External Data Protection Officer?
Due to the increased fines, the obligation to report to authorities and potential loss of reputation, it is becoming increasingly important for companies to obtain knowledgable and legally correct advice on Data Protection Law. Based on our qualifications and our proven concept, we ensure future proof data protection in your company. We guarantee a long term, sustainable solution and minimize the risk of liability.
Would you like us to perform a GDPR Risk Check for your business?
We know that data protection can be a daunting task, but our lawyers and specialist data protection officers are here to help. With over 15 years of hands on experience, there isn’t a situation that we haven’t seen! At KINAST, we guarantee that your company is in safe hands and our GDPR Risk Check will help to outline where your business might fall short on GDPR law. So why not contact us today for a free, no obligation consultation?
Send this page to a colleague?
Frequently asked questions
We understand that many clients still have questions about a GDPR Risk Check. We’ve answered some of the most frequently asked questions here. If you have more specific or specialist questions, feel free to contact us, and one of our Lawyers or Data Protection Officers will get back to you as soon as possible.
The timeframe of a risk check depends on a few different factors. The number and extent of the processing operations concerned play a major role. If the risk assessment is only performed for a single processing activity, the assessment can be completed quickly. A comprehensive risk analysis of all processes in a company can take several weeks. However, this is to be understood as an accompanying process, because as far as risk gaps are discovered, a protective measure can already be worked on at the same time.
The responsibility of the implementation lies, due to our recommendatory charater, with the controller. However, of course we support where requested and necessary by helping with drafting of indispensable templates, processes and policies as well as reviewing these measures to ensure that the implementation is data protection compliant from the getgo.
Not necessarily. This depends on whether the company takes sufficient technical and organizational measures to at least mitigate the risk. If not enough measures have been implemented, we will help you to implement them. However, if risks are not responded to, this may constitute a breach of the GDPR.
The DPIA must be carried out if an individual processing operation poses a high risk to data subjects’ rights. Within this framework, a precise analysis of the risks involved and a balancing of the interests of the data subjects with the interests for processing takes place. If the interests of the data subject prevail, the processing must be stopped or further measures must be taken to reduce the risk accordingly. The DPIA is also subject so strict documenation rules.
The risk check is carried out upstream and is intended to check which risks actually exist in the company, which measures should be linked to them and which have already been implemented in the company.
It is not possible to completely rule out data protection incidents. The conceivable cases are too diverse for that. However, a risk check can significantly reduce the probability of incidents and, in particular, close existing risk gaps.