A PROPOSED METHODOLOGY FOR CONDUCTING DATA PROTECTION IMPACT ASSESSMENT AND RISK ASSESSMENT IN AN ORGANIZATION

Abstract

Two years after the enforcement of the General Data Protection Regulation (GDPR) many organizations in Bulgaria are still experiencing problems with its implementation. Part of the reason is that there is a lack of methodological guidelines provided by the Bulgarian data protection authority (CPDP) on how to assess and manage the risk associated with the processing of personal data. Here is a basic structure of such methodology which can be used by organizations in the public and private sector alike. It is heavily influenced by the principles adopted by the French data protection authority (CNIL) which was the first to introduce such guidelines. The methodology can be implemented as is, or expanded according to the specific organizational needs.