Data Privacy Impact Assessment
Under the GDPR, a Data Privacy Risk Assessment (DPIA) is mandatory where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”.
This is particularly relevant :
- When a new data processing technology is introduced – e.g. new features in your product/services or launch a new product.
- If you are in compliance processes with customers. The Privacy Departments sometimes will ask for a DPIA. It is good to have a DPIA in place for all your products to share with customers.
- Make sure that you review your DPIAs every year.
This section consists of 2 steps:
Step 1. Perform the DPIA
Step 2. Process your findings in the DPIA section
Step 1 – Perform the DPIA
- Assign an Owner – this should be your Privacy Officer/Compliance Officer
- In the Template Section you can find the Data Protection Impact Assessment template.
- It is a word document that complies with the corporate standards of DPIA. So there are formal fields to fill in (owner, dates etc.) Ensure that your DPIA is no older than 1 year, corporates do no accept older versions.
- Assign a control [link to section] to remind you.
- You will start in the template by providing general information. This information can be collected from other sections (GDPR Assessment or Legal & Compliance – GDPR). It will repeat or summarise content that you have already documented. However, when performing compliance processes with large-scale companies, this document is needed to get you smoothly through the process – as corporates will need to tick a lot of boxes.
- The 2nd part of the DPIA is the actual Assessment, where you will need to classify potential risks and report measures you have in place. You can make use of other assessments, controls or policies for this content. Make sure that you have some measures documented, so you can classify the residual risks as low or medium.
- If you classify the residual risk as (medium or) high, you will need to add an improvement that you will implement in the near future. Add that improvement in the column with the residual risk, so your customer will be informed of the actions that you take.
- The Improvement will be processed in step 2 in compleye online.
- Finalise the document and continue with step 2.
Step 2 – Process your findings in the Compleye Online system
Now that the DPIA is finalised, it’s time to create actual improvements in Compleye Online. This is the final step and can be performed by your compliance officer.
You can simply click on the “Create New DPIA” button at the bottom left of the page.
It will open a new window where you can upload the DPIA document. This document can’t be deleted, but only downloaded once it’s attached. The DPIA card will be named by the date it’s uploaded. If you have multiple documents there is a possibility to upload more documents; make sure you upload the main document first.
After creating the DPIA you can add the findings (use the term ‘reducing of risk + add the potential risk’). You can also add other relevant documents in the tab ‘Attachments’, if needed (not mandatory).
- When adding a finding, it will automatically be an option to create an improvement (in blue).
NOTE: if you don’t create an improvement, you’ll need to justify the reason to the external auditor. Perhaps you have already solved the improvement – and added the evidence in ‘Attachments’. If so, please make sure that you have addressed that in the finding (e.g., by adding, ‘Already solved by .’ ….’ evidence can be found in the attachment.’) We strongly advise creating an improvement for each finding. Improvements will become part of the Management Review and show that you’re able to improve and mature your ISMS.
When you create an improvement a new pop-up screen will appear.
- The finding is already filled in, with the tag DPIA, to identify where this improvement came from.
- You’ll need to assign an owner who will be responsible for the improvement.
- Due Date: estimated date for first expected results.
Once every field is addressed, you can push the ‘Create Improvement’ button and it will automatically create an improvement with an ID in the ‘Improvements’ section.
- Now, the owner will need to work on the improvement. Please make sure that the owner has access to the board and has added an e-mail address in the @people section to ensure that they receive notification on improvement deadlines.
Make sure that the owner reads the wiki on the improvement and starts working on the improvement.
The compliance officer will check all improvements’ progress during the monthly security meeting.
- Once the improvement is closed it will be indicated as a green check-box tick in the tab along with the date and the person that closed the improvement. So, before you start a new DPIA, check if the findings of your previous DPIA have been addressed in closed improvements.
|Improvement Title||Define a name for the Improvement – this is not the finding, but e.g., the name of a project/plan that is easily recognisable to the ISMS Team||If finding is ‘Additional factors that point to higher risk level were identified’, the improvement could be ‘High risk level factors‘ .|
|Owner||Person responsible for the improvement||One of your ISMS Team members|
|Finding||Findings of the information security risk assessment. ‘Column G in ISRA Template – tab Risk Assessment’. ==> this will automatically be filled in the pop-up menu once defined in the section.||Additional factors that point to higher risk level were identified|
|Due date||Always start with a due date when you want to have your first Improvement milestone ready e.g., when the project plan, proposal or first step needs to be finalised. To be used as a reminder (owner can receive notification 3 days prior to the due date).||Select the date|
|Origin||The Risk Assessment where the finding originated. In this case this will be filled in automatically, because this is the ISRA Section.||DPIA|