Avoid Delays: Do a Data Protection Impact Assessment!


Working with external partners in IT concerns processes, people and data, whether this is for core infrastructure services, clouds or even digital transformation initiatives. In many of my discussions, both with customers and suppliers, I find that ‘data’ is often the last subject to discuss. Typically, this happens in the legal workstream in the last stages of the project, when the Data Processing Agreements (DPAs) are drafted. This is ineffective!

In the DPA, controller and processor will be held responsible for applying adequate security measures. A mature supplier in the role of processor will request the customer to have taken appropriate actions to protect the privacy data of individuals, employees, customers and other stakeholders. Since about two years, the GDPR directive is in place and you should expect that all organizations have built the knowledge and executed their programs to become GDPR compliant. So, they all should know which personal data they store and process, in which systems, at which locations, with which purpose. 

Unfortunately, the reality is that in the many of the sourcing projects, we find that privacy policies have been defined indeed, but they have not been translated into practical measures, processes and detailed procedures. According to GDPR, organizations are required to execute a Data Protection Impact Assessment whenever an organisation intends to put in place a new processing that is likely to result in a high risk to the rights and freedoms of natural persons. This risk assessment cannot be executed on policies but should cover the facts.  

At the moment the contracts for the external service need to be negotiated this becomes painstakingly clear. Even in the most tangible services like Service Desk, it is unclear which personal data are exposed. Usually, the processing locations of the personal data are agreed in the Data Processing Agreement to be within the European Union, but second-line services might be provided from anywhere in the world. 

Once discovered at the end of the sourcing tender, the impact on the supplier’s solution could be enormous, forcing the supplier to redesign it from ground up. Not only the redesign of the services, but additional proofs that need to be made for supervisory authorities will add additional complexity to the projects. This results in more disputes and will create doubts for the decision-makers.  

So, why not follow the guidelines of GDPR and execute the Data Protection Impact Assessment (DPIA) regularly, and at least at the start of a (re)sourcing project? A DPIA can be executed in a matter of weeks with the guidance of a Data privacy specialist and an IT management consultant. 

Use the content of the articles of the directive and smartly define what is the current status of practices, gather the evidence, assess the risks and document the results. Use a comprehensive assessment approach together with the security framework to come to: 

  • a systematic description of the processing operations, the processing purposes and the legitimate interest pursued by the organization;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of natural persons; and
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate GDPR compliance, taking into account the rights and legitimate interests of data subjects and other persons concerned.

From now on, for each project we do, we will consider the DPIA from the start. This will provide very valuable insights in the data, avoid delays and above all, increase the success of the sourcing initiative!

Back to the overview