Conducting a Data Protection Impact Assessment (DPIA)
– converting paper records into electronic;
– combining several databases into one;
– inclusion of personal data obtained from commercial sources into the existing database;
– making changes to the business process, which will lead to the collection and use of personal data;
– implementation of projects using third-party suppliers;
– changes in the nature of personal data due to the addition of new types of information.
– carrying out systematic and extensive profiling or automated decision making to make important decisions for PD subjects;
– processing of personal data of special categories (including children) or data regarding criminal offenses;
– PD processing with tracking the location or actions of persons online or offline, in combination with the criteria provided for by the EU directives;
– systematically monitor public places on a large scale
– processing of sensitive PD on a large scale
If any of these processes were initiated by your company, then DPIA is required according to the GDPR. This is a complex, multi-level process that includes both an audit of the mechanisms for interacting with PD, and writing a justification for processing PD, and more. In each individual case, it is necessary to assess the need for DPIA, because often legal reasons can be identified for not carrying out DPIA, which can protect the company from unnecessary costs. Consult the experts for an assessment of your individual situation.
In order to carry out DPIA, you must adhere to the following steps:
– to define and write down in the document the type and amount of processed PD and the context and purposes of processing;
– to consult the data processors to understand the technical changes made;
– to consult with the inspector for the protection of personal data (if you needed an inspector, then most likely your company processes PD on a large scale and with every major change in the processes, it will be necessary to carry out DPIA);
– to assess the risks of violation of the security of personal data, as well as proportionality to the goals;
– to assess the legal compliance with the GDPR by analyzing the likelihood and severity of risks for the rights of PD subjects;
– to create a document on the result of the DPIA, introduce discrepancies that appeared during the consultations;
– implement the necessary measures, if any were identified during the DPIA, in order to maintain legal compliance with the GDPR
Legarithm will make this process simple and straightforward for you. We will not only guide the company through DPIA, but also explain our actions, so that in the future you will be able to outsource to us only the most difficult tasks to solve.