Navigating the Maze of Assessments for Data and Technology
As global regulations around data and technology become increasingly stringent, organisations face a growing pressure to ensure compliance and demonstrate accountability. A crucial part of this accountability is the execution of assessments to ensure compliance regularly and systematically.
Over the past years, numerous mandatory assessments have been introduced, driven by data and technology regulations. These often aim to protect (personal) information, increase transparency and accountability, and recognize and manage risks.
For example, the GDPR introduced Data Protection Impact Assessments, the AI Act requires extended conformity assessments, and the NIS2 Directive emphasizes the importance of cybersecurity assessments. With so many requirements, organisations often struggle to determine which assessments are necessary and how to prioritise their resources effectively.
Types of Assessments
By now, there is a wide range of assessments an organisation could – and sometimes should – perform. These include:
- Data Protection Impact Assessments (DPIA) for mitigating personal data risks.
- Third-Party Risk/Vendor Assessments for managing supply chain risks.
- Data Transfer Impact Assessments (TIA) for sharing personal data in a secure way.
- (Cyber)security Risk Assessment for identifying and managing digital security and continuity risks.
- Conformity Assessments for ensuring the safety of products.
- AI/Algorithmic Impact Assessments for mitigating risks of automated decision-making.
- Ethics Assessments and Human Rights Impact Assessments (HRIA) for addressing risks to human rights.
- Safety, Health, and Environment (SHE) Assessments for ensuring a safe working environment.
- All kinds of other risk and impact assessments, such as training and awareness assessments, compliance gap assessments, and internal and external audits.
It is easy to see how organisations can lose track in this complex maze of assessments. However, by taking a structured assessment approach, you can ensure that you do what is legally required and are aware of the most important risks. This way, you can prioritise what is truly important and make sure you use your resources to address the risks with the highest impact first, and in an efficient way.
A Structured Approach
There are eight steps that all organisations can benefit from for a more effective assessment approach:
- Define clear roles and responsibilities
To set yourself up for success, having a clear governance structure is essential. Make sure the appropriate roles are defined and the right people are involved – especially when specific roles or people are needed (e.g. a Data Protection Officer for a DPIA). It’s important to know not just who is executing the assessment, but also who is responsible for input, review, and approval. Tools like a RACI model can help provide clarity. Also, do not forget to document the governance structure. - Map your data flows and (IT) processing landscape
Before starting any assessment, you need a clear understanding of what you are assessing. Identify the types of data you process, who is involved, and what technologies are used. This vital step is often overlooked, yet it is crucial for building a solid foundation for any assessment strategy. - Identify applicable regulations and required assessments
Regulations apply based on the types of data and technology you use, the regions in which you operate, and the purposes of your activities. Based on the applicable regulations, the required assessments can be identified (e.g. a DPIA for high-risk personal data of EU inhabitants under the GDPR, or a conformity assessment under the Medical Device Regulation). This step usually requires support from legal or compliance experts, such as external consultants. - Identify other appropriate assessments based on risk
While it might be tempting to stick to legally required assessments, you should also consider whether other assessments are needed. For example, cybersecurity audits – even in situations where e.g. NIS2 does not legally require it – can help you to become aware of potentially critical risks to your technology and may prevent costly disasters. Similarly, more thorough third party risk assessments can provide valuable insights and help mitigate risks. - Start high-level
After step 2 and 3, you should now have a clear list of required and desired assessments. Assessments should be based on risk and impact, and the best way to get a view on those is to start on a high level. Identify the processes with the highest risks (e.g. compliance risk, financial risks, reputation risk, and risks for stakeholders). General gap assessments or audits are useful tools to perform this step. - Execute
Once you have identified key processes and risks, you can zoom in on specific activities. Take your list of required and desired assessments, prioritise the assessments, allocate resources, and get them done. - Standardise
Over time, you will want to standardise your assessments as forms, questionnaires, and similar tools. A pragmatic approach is to start with a general outline of the standardised tool, and continuously update it based on what you learn and discover during the assessments. Keep in mind to version your assessment documentation to minimize confusion and maximize control. - Repeat
Assessing your data and technology is not a one-time activity. To keep up with changes in processes, technology, and regulations, you will likely need to revisit or repeat assessments periodically.
By following these steps, you gain clarity and structure in your assessments. This also allows you to cross-reference assessments, reduce red tape, and make informed decisions about where to focus resources. While this approach may seem labour-intensive at first glance, experience teaches us that it is definitely worth it in the long run.
Need support with your data and technology assessments? You can reach us on +31 (0)88 8483 100 or via gdprteam@vivenics.com.