Data Privacy Impact Assessment

Under the GDPR, a DPIA is mandatory where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”. This is particularly relevant when a new data processing technology is being introduced. 
 
Well, if you think that is the case, you will need to perform a DPIA. 

A DPIA can be needed if you have multiple products – then you whould perform a DPIA per product (or service). In case you work with different types of projects (e.g. Proof of Concept) you also will need to perform a new DPIA per project.  
 
When performing business with e.g. governmental organizations, it is like that they will ask you to share a copy of your DPIA. It is a summary (report) on how you handle personal data.  
 
In the Documentation Toolkit you can find a (word) template that you will need to fill in. Make sure the Data Protection Officer (DPO) will draw up and sign this document. Make sure you will have a pdf ready, in case customers will ask – make sure your DPIA is not older then 1 year. – Add a control [link to control] for this job.  
 
When performing your first DPIA, you might decide to improve on some topics – please make sure these are noted as finding in Compleye Online and Improvements are assigned, to keep track of these activities. It is important for external auditor to have evidence in place that you are able to perform assessments, assign findings and create improvements. So do not be afraid to add findings in this assessment.