7. Risks identified and appropriate solutions or mitigation actions proposed
Is the risk eliminated, reduced or accepted?
Risk Scottish Government may not obtain appropriate assurance from service providers that they are aware of and comply with their data protection responsibilities
Solution or mitigation Assurances from advocacy organisations their internal training processes include data protection and GDPR rights and responsibilities as outlined in their Expressions of Interest application.
Risk Scottish Government as a joint controller of the data may not be made aware if a service provider is subject of a significant data breach within 72 hours
Solution or mitigation Grant conditions specify providers have to: “The Grantee shall ensure that all requirements of theData Protection Laws are fulfilled in relation to the Project.” Which includes reporting any potential data breach.
Risk Lack of transparency around the processing of data
Solution or mitigation Service providers will provide clients with a privacy notice in hard copy or direct to published version on their website Client consent will be sought for sharing special category data with partner organisations
Risk Data subjects may not be able to exercise their rights under the GDPR.
Solution or mitigation Responsibility for facilitating data subject rights will sit with the service providers. Scottish Government will obtain assurances from the providers that have proper procedures and processes are in place to meet these obligations including all staff receive appropriate training.
Scottish Government may receive personal data without legal basis from service providers in their quarterly/annual returns
Solution or mitigation As reports from service providers use quantitative information any numbers of less than 5 will not be reported to ensure identification cannot take place. Organisations will illustrate themes by use of anonymised case studies. The potential to receive personal data is minimal but mitigation is in place in the unlikely event of error.