Can you please explain me briefly how to perform the risk assessment for biometric data (GDPR), using a computer, one employee and a biometric reader (ISO 27001)?
Assign topic to the user
First is important to note that using ISO 27001 is not mandatory for fulfilling GDPR requirements. To perform risk assessment, you can use any approach your organization sees fit for its purpose.
Additionally, ISO 27001 does not prescribe any method to perform risk assessment, only defines requirements to be fulfilled by the adopted risk assessment process.
Considering that, the purpose of GDPR is the protection of personal information from being accessed, modified, or destroyed in an uncontrolled manner, so an example of risk assessment considering the elements you mentioned are:
- an unattended computer storing biometric data can be stolen or invaded
- an untrained employee can inadvertently delete biometric data
- a biometric reader can fail during a data-gathering section
This material will also help you regarding risk management:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Apr 16, 2021