The General Data Protection Regulation (GDPR) prescribes that a data subject (users, product and service clients, staff) must be provided with a whole list of up-to-date information. This list is outlined in Article 13, 14 of the GDPR. It includes the contact details of your DPO (Data Protection Officer), purposes and legal basis of each processing, categories of processed data, facts and conditions of transboundary transfer, reference to subject rights, etc. There are cases when companies got fined for having not fulfilled these requirements.
- Secure your own business against complaints of data subjects and inspections (therefore fines) of supervisory authorities.
- Demonstrate to partners, clients and staff your commitment to transparency and enforcement of laws.
Identification of the context, value, and scale of processing.
Identification and analysis of the mechanisms that allow data subjects to exercise their rights.
Analysis of the implemented data protection measures of personal data protection.
Identification of the at-risk individuals involved in the processing, threat sources, and potential violations of privacy.
Evaluation of the probability of risk and severity of consequences for the data subjects.
Selection of tactics to minimize the risk, development of the action plan, time frames, and people responsible.
1.We provide training so that our staff understand the need to consider a DPIA at the early stages of any plan involving personal data.
2.Our existing policies, processes and procedures include references to DPIA requirements.
3.We understand the types of processing that require a DPIA, and use the screening checklist to identify the need for a DPIA, where necessary.
4.We have created and documented a DPIA process.
5.We provide training for relevant staff on how to carry out a DPIA.
1.We consider carrying out a DPIA in any major project involving the use of personal data.
2.We consider whether to do a DPIA if we plan to carry out any other:
- evaluation or scoring;
- automated decision-making with significant effects;
- systematic monitoring;
- processing of sensitive data or data of a highly personal nature;
- processing on a large scale;
- processing of data concerning vulnerable data subjects;
- innovative technological or organisational solutions;
- processing that involves preventing data subjects from exercising a right or using a service or contract.
3.We always carry out a DPIA if we plan to:
- use systematic and extensive profiling or automated decision-making to make significant decisions about people;
- process special-category data or criminal-offence data on a large scale;
- systematically monitor a publicly accessible place on a large scale;
- use innovative technology in combination with any of the criteria in the European guidelines;
- use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit;
- carry out profiling on a large scale;
- process biometric or genetic data in combination with any of the criteria in the European guidelines;
- combine, compare or match data from multiple sources;
- process personal data without providing a privacy notice directly to the individual in combination with any of the criteria in the European guidelines;
- process personal data in a way that involves tracking individuals’ online or offline location or behaviour, in combination with any of the criteria in the European guidelines;
- process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them;
- process personal data that could result in a risk of physical harm in the event of a security breach.
5.We carry out a new DPIA if there is a change to the nature, scope, context or purposes of our processing.
6.If we decide not to carry out a DPIA, we document our reasons.
1.We describe the nature, scope, context and purposes of the processing.
2.We ask our data processors to help us understand and document their processing activities and identify any associated risks.
3.We consider how best to consult individuals (or their representatives) and other relevant stakeholders.
4.We ask for the advice of our data protection officer.
5.We check that the processing is necessary for and proportionate to our purposes, and describe how we will ensure compliance with data protection principles.
6.We do an objective assessment of the likelihood and severity of any risks to individuals’ rights and interests.
7.We identify measures we can put in place to eliminate or reduce high risks.
8.We record our decision-making in the outcome of the DPIA, including any difference of opinion with our DPO or individuals consulted.
9.We implement the measures we identified, and integrate them into our project plan.
10.We consult the ICO before processing, if we cannot mitigate high risks.
11.We keep our DPIAs under review and revisit them when necessary.
THIS CHECKLIST WILL HELP ENSURE YOU HAVE WRITTEN A GOOD DPIA. WE HAVE:
- confirmed whether the DPIA is a review of pre-GDPR processing or covers intended processing, including timelines in either case;
- explained why we needed a DPIA, detailing the types of intended processing that made it a requirement;
- structured the document clearly, systematically and logically;
- written the DPIA in plain English, with a non-specialist audience in mind, explaining any technical terms and acronyms we have used;
- set out clearly the relationships between controllers, processors, data subjects and systems, using both text and data-flow diagrams where appropriate;
- ensured that the specifics of any flows of personal data between people, systems, organisations and countries have been clearly explained and presented;
- explicitly stated how we are complying with each of the Data Protection Principles under GDPR and clearly explained our lawful basis for processing (and special category conditions if relevant);
- explained how we plan to support the relevant information rights of our data subjects;
- identified all relevant risks to individuals’ rights and freedoms, assessed their likelihood and severity, and detailed all relevant mitigations;
- explained sufficiently how any proposed mitigation reduces the identified risk in question;
- evidenced our consideration of any less risky alternatives to achieving the same purposes of the processing, and why we didn’t choose them;
- given details of stakeholder consultation (e.g. data subjects, representative bodies) and included summaries of findings;
- recorded the advice and recommendations of our DPO (where relevant) and ensured the DPIA is signed off by the appropriate people;
- agreed and documented a schedule for reviewing the DPIA regularly or when we change the nature, scope, context or purposes of the processing;
- consulted the ICO if there are residual high risks we cannot mitigate.
CIPM, TÜV, Strategic Privacy by Design, DPP
Data Protection Officer, GDPR Consultant, Privacy researcher
Certified Information Privacy Manager, member of International Association of Privacy Professionals with experience of being a Data Protection Officer for European companies, including those focused on privacy and data security. Certified as Data Protection Officer by TÜV (Germany's leading and one of the world's leading independent testing and certification services group), trained in Strategic Privacy by Design.
Fill out the form and you will:
✓Be able to ask questions in the field of personal data protection.
✓ Find out if this product is suitable for your company or project.
✓ Get directions on cost, duration, and other details.
We will be happy to talk and schedule an online meeting with a privacy expert!
P.S. Seemed that none of the services listed on the site is suitable for you?
Describe your situation in the "Comment" field. We are very flexible and always offer customized solutions.
The course is loading, wait a few seconds