Assign topic to the user
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
- Reported Data Breach
- Assistance when DPIA outcome flags a high risk
Basically, how can ICO (in UK) help in case of data breach (e.g. ransomware), or what is ICOs approach to assisting in DPIAs that have been flagged as high risk.
Answer:
In case of a data reach is highly unlikely that the SA will help you with anything since is not their job to do so. Most likely they will asses if your security measures were appropriate and if not they may decide to issue a fine.
As regards to the DPIAs if carried out by a controller indicates that an envisaged processing would result in a high risk in the absence of risk-mitigating measures taken by the controller, the controller shall consult the SA prior to the processing. Recital 94 seems to slightly soften this requirement by providing that a consultation might not be required if the controller is of the opinion that the identified risk can be mitigated by reaso nable means in terms of available technologies and costs of implementation. If the SA considers that the processing in question would infringe the GDPR, the SA should respond to such requests within eight weeks. However, the eight week period may be extended by six weeks in complex matters and may also be indefinitely suspended until the SA has obtained all information requested for the purposes of a consultation. Consequently, the consultation process may take considerably longer than the projected eight week period. Further, Recital 94 clarifies that a lack of response from an SA within the defined period will not preclude an SA from exercising its powers, such as the power to prohibit processing operations. Hence, a lack of response to a consultation request does not confirm that an envisaged processing is GDPR-compliant nor does it mean that SAs will not take action against such processing. This might lead to considerable uncertainties in practice.
To learn more about Supervisory Authorities check out our webinar “What to expect from Data Protection Authorities under GDPR” https://advisera.com/eugdpracademy/webinar/what-to-expect-from-data-protection-authorities-under-gdpr-free-webinar-on-demand/
Comment as guest or Sign in
Jun 01, 2018