Why is risk analysis imperative?

Data protection law - latecomer to new technologies

Digitalisation changes the world

Both laws, the revised Swiss Data Protection Act and the EU GDPR, must not only be implemented in a compliant manner, but also appropriately, i.e. with a risk-based approach tailored to the individual framework conditions of the company.

With the progress of electronic data processing technologies and the emergence of ever greater quantities of personal data, the question arises as to how the consequences of the technologisation on the personal rights of the data subjects can be systematically analysed and appropriate action measures taken.

Where do you stand in the implementation of the revised Data Protection Act / the GDPR?

Privacy Sparring

Wir stehen da zur
Verfügung, wo Sie es
brauchen

Risk Analysis - Privacy Impact Assessment

Wir stehen da zur
Verfügung, wo Sie es
brauchen

Data Safety, Data Backup

Wir stehen da zur
Verfügung, wo Sie es
brauchen

Swiss DPA / GDPR Compliance

Wir stehen da zur
Verfügung, wo Sie es
brauchen

Please contact us T. +41 79 348 55 63

IS YOUR COMPANY COMPLIANT WITH DATA PROTECTION? Check it in a few minutes.

Answer the questions from 1 to 4 for your individual feedback now!

What do you need to consider?

Automated decisions taken on personal data

Computers, software, applications, devices, machines and even printers store personal data. Personal data includes not only external characteristics such as eye colour, but also internal states (e.g. opinions and motives for action) as well as relationships with third parties and the environment (e.g. contracts, chat histories). These data are personal even if they can only be assigned to a pseudonym (= user name) on the internet, because the real identity of the user can be found out with the help of the internet provider. Therefore, IP addresses are also to be classified as personal data!

Other examples of personal data are:

First name, last name, stage name, birthday, email, home address, biometric data such as fingerprint and facial recognition, health data, racial and ethnic origin, political opinion, religious or philosophical beliefs, financial and insurance data, trade union membership, photographs of identifiable individuals, electronic consents, usernames, location data, identification numbers, online identifiers, cookies assigned, individual customer notes.

Automated decisions are used, among other things, in credit assessment and fraud prevention, but also when algorithms determine the most suitable job applicant for the new position to be filled.

What does the "risk" for personal data mean according to the revised DPA / GDPR?

The term „risk“ is not explicitly defined in the law. Preamble 75 of the GDPR states:

A risk within the meaning of the GDPR is the existence of the possibility that an event may occur which itself causes harm, including unjustified interference with the rights and freedoms of natural persons, or which may result in further harm to one or more natural persons.
The risk has two dimensions: the severity of the damage and the probability under which the event and consequential damage occur.

Risk identification: Which potential dangers are threatening the person affected?

Data protection sees in risk analysis only those risks that have an impact on natural persons. A risk is also defined in data protection as the multiplication of the damage by the probability of occurrence. In the case of data protection risks, the damage refers to the person. Accordingly, a harm could be:

financial loss
economic disadvantages
social disadvantages
Identity theft
Danger to life
threat to existence
Discrimination
Damage to reputation
Exposure
Loss of job
Disclosure of secrets
Other categories of damage are possible

Risks must be avoided. Therefore, the Data Protection Act requires an analysis of the risks for natural persons, i.e. customers, suppliers, patients, employed staff or cooperation partners in data processing. This means the so-called „commissioned processors“: e.g. laboratories, outsourcing of IT to an external service provider, etc.

Why is a risk analysis needed?

The company and every organisation is obliged, following the data protection objectives, to identify and take appropriate technical and organisational protection measures to ensure the integrity, confidentiality, transparency, data minimisation and availability of the data and to systematically protect the processing of personal data. The neutral, holistic risk analysis covers the strategic, information technology, organisational and legal levels. We include your security against cyber attacks and use the synergies with quality management .

When is the risk analysis mandatory by law?

„Privacy by Design“: i.e. devices, applications, information systems, etc. must be designed during their technical development to be as privacy-friendly as possible. Wherever possible, information must be collected anonymously and only the absolute minimum of data must be collected.

«Privacy by Default»: Devices and applications must have the strictest possible default settings when they are first used by users.

When processing particularly sensitive data, especially health data, or using a video camera on the (restricted-public) company premises, the data protection impact assessment, a risk impact assessment based on the preceding risk analysis, is mandatory. Another case is Big Data analyses: they are often used by banks to combat fraud and calculate creditworthiness and can lead to discriminatory decisions that must be averted.

In the case of automated decision-making „profiling“, for example, the personality profile of the ideal job applicant is defined and the computer assesses who best matches it. It tries to predict and evaluate certain personal aspects, such as aspects of work performance, economic situation, health, personal preferences, interests, reliability, behaviour, whereabouts or change of location, in order to make a decision for the person who best fits into the team..

Risk Control

The risk analysis comprises all activities for identifying, assessing, evaluating, and prioritising the risks and opportunities in data processing. The risk assessment considers the lawfulness of data processing, its purpose, the scope as well as the state of the art, the implementation costs and its circumstances. It includes all processes and business procedures and thus provides the starting point for risk assessment, risk mitigation measures and risk monitoring.

In terms of improvement and, if necessary, the use of new technologies, risk management in data processing must be constantly adapted and optimised. This is done using the P-D-C-A cycle; a tool with which one can also optimally control the effectiveness of the measures.

CyberWehr RMS GmbH

Alte Landstrasse 109

8803 Rüschlikon (ZRH), Switzerland

+41 79 348 55 63

info@cyberwehr-rms.ch

Links