Webinar “Risk Analysis in Line with the Accountability Principle” – Summary

On 9 April, the Personal Data Protection Office held a webinar entitled "Risk Analysis in Line with the Accountability Principle". The online meeting focused on discussing the "18 good practices" published in the January edition of the Personal Data Protecion Office's Bulletin, as well as addressing the most significant doubts concerning the understanding of risk related to the processing of personal data.

The webinar was led by experts who work daily on risk analysis and compliance with data protection regulations: Mirosław Gumularz, PhD - Chair of the Social Team of Experts at the President of the Personal Data Protection Office, Bartłomiej Kowalski from the Personal Data Protection's Department of Inspections and Data Breaches, and Tomasz Izydorczyk from the Social Team of Experts at the President of the Personal Data Protection Office. The event attracted a very large number of active participants.

The introductory remarks were delivered by the President of the Personal Data Protection Office, Mirosław Wróblewski. In his address, he emphasised that risk analysis is never an end in itself; rather, it determines the entire data-processing cycle and is crucial for selecting appropriate measures to ensure the protection of personal data and the right to privacy. He also noted that the human being remains at the centre of this process, and that risk analysis cannot be disorganised, one-off, or based on intuition alone - methodology is essential.

In the first part of the meeting, the speakers sought to formulate a definition of risk under the GDPR and to explain what risk analysis entails, as well as the importance of the accountability principle set out in Article 5(2) GDPR.

They pointed out, however, that the GDPR does not prescribe specific data-protection measures, leaving it to controllers to take responsibility for selecting methods appropriate to the circumstances and threats. Much also depends on how quickly technological capabilities and risks evolve, which is why the GDPR sets out the controller's obligations in a more general (technologically neutral) manner, emphasising the need to use measures appropriate to the circumstances to minimise the risk of violating the rights or freedoms of data subjects.

As the webinar leaders stressed, rigid lists of requirements have been replaced in the GDPR by a risk-based approach, and a properly conducted (and complete) risk analysis also helps organisations defend themselves against potential challenges by the supervisory authority regarding the solutions they adopt for personal data processing.

According to the speakers, risk analysis also demonstrates diligence and a responsible attitude towards the rights and freedoms of individuals, which is why the manner in which this process is carried out is often key to the supervisory authority's assessment of compliance.

Risk management is not about identifying in advance every possible threat that may arise within an organisation, but rather about exercising due diligence. The presenters pointed to sources of knowledge on typical and frequent threats that controllers may use. They noted that organisations are often unable to implement the best security measures available on the market, which is why, alongside the state of technical knowledge, the cost of implementation is also an important criterion. In this context, it is also essential to prepare and reliably implement a plan for deploying data-protection measures - including for the purposes of potential inspections by the supervisory authority.

When conducting risk analysis, one must always bear in mind Recital 75 GDPR, which concerns safeguarding the rights and freedoms of individuals whose data are processed. Thus - as the speakers unanimously emphasised - the human being remains at the centre of this activity.

In the context of the accountability principle, participants also addressed the importance of documenting risk analysis by controllers, as documentation enables the recording and tracking of subsequent steps over time and supports the process of improving earlier shortcomings. It should be remembered, however, that the GDPR does not prescribe how such documentation should be kept; what matters is that it can be demonstrated to the President of the Personal Data Protection Office.

Later in the webinar, participants highlighted the issue of the difference between assessing risk from the organisation's perspective and assessing it from the perspective of data subjects. This discrepancy often leads to misunderstandings and may result in organisational interests prevailing over those of individuals.

The speakers also cited examples of administrative court judgments illustrating typical errors in risk analysis occurring in processes such as data migration or remote work.

Other common mistakes in risk analysis include: overly general categorisation of threats and grouping them together despite belonging to different types of risk; creating a false sense of security based on inaccurate assumptions or purely theoretical knowledge; using broad scoring scales instead of detailed descriptions of risk; ignoring findings from audits and inspections; failing to consider publicly available statistics; and manipulating risk assessments (defining risk in such a way that it is ultimately classified as minimal and therefore unproblematic).

Court rulings also show that risk must be assessed in line with the specific nature of the organisation and not according to rigid templates. A broader spectrum of risk should be considered, and assessments should not be limited to the perspective of IT departments, as experts in this field often overlook the social dimension of data protection.

Participants noted the importance of Recital 76 GDPR, which helps determine the likelihood and severity of risks to the rights or freedoms of natural persons.

As added during the discussion, administrative court judgments also indicate that risk analysis is not about using the most advanced technological measures, but rather about their adequacy and about monitoring developments in the technological environment and the changes occurring within it.

Attention was also drawn to institutions that provide easy access to knowledge on security standards and guidelines beneficial for data protection. These include the US National Institute of Standards and Technology (NIST), CERT Polska, the Open Worldwide Application Security Project (OWASP), and the European Union Agency for Cybersecurity (ENISA).

In the final part of the webinar, a diagram was presented showing what an effective risk-management cycle should look like (to be repeated in organisations, for example when changes occur in processing operations, resources or technology that affect risks to individuals). It consists of: a description of processing, identification of threats, risk assessment, selection of protective measures, implementation and testing of measures, and system review and updates.

The role of the data controller in involving the data protection officer in the data-protection process was also discussed (including ensuring the DPO's independence and avoiding conflicts of interest), as well as the problem of controllers frequently shifting responsibility onto employees and processors.

Questions raised in the chat by webinar participants included: defining the effectiveness of risk analysis (can the mere implementation of a solution serve as proof of proper risk analysis?); the need for risk analysis following the introduction of the National e-Invoicing System (according to the webinar speakers, this depends on the tools used rather than on the mere fact of using KSeF); expanding or narrowing the catalogue of possible threats (in the speakers' view, such a catalogue should not be restricted); and methods for verifying the reliability and trustworthiness of systems and processors.