Article 35 of the GDPR introduces the concept of a Data Protection Impact Assessment (DPIA)
The DPIA is process requires the business to describe the processing it is assessing, and to determine the necessity and proportionality as well as to identify, understand and manage the risks. This is not the risks to the business, but to the rights and freedoms of the peoples data that is being processed. In this way, the risk assessment differs from other parts of the business.
The DPIA is an important method to install and demonstrate accountability, as they help controllers to comply with requirements of the GDPR, and demonstrate via the documented DPIA that appropriate measures have been taken
You are required to carry out Data Protection Impact Assessments (DPIA) under certain conditions, and it is considered a good practice to do in any case. One advantage of integrating DPIA’s into standard operating procedure is the level of information and important record keeping that is generated as a natural outcome of the process.
UKGDPR create a custom work-flow procedure with OneTrust software that integrates the required roles and streamlines the entire process. So now, your subject matter experts can complete their section,and hand over to legal, who then hands on to IT, etc. Risks in the processing activity are flagged and put into a register to manage. Alternatively, for smaller companies, we can set up a work-flow using simple Excel spreadsheets.
How We Can Help
Conducting a DPIA is time consuming and requires bringing together of several departments. Legal departments need to confirm the relevant contract addendums are in place for 3rd parties, IT contribute information about system and data flows, the CISO will have risk assessment work to do, and the project owner themselves must provide detailed information about the nature of the processing.