Tag Archives for " DPIA "

How to approach DPIAs under the GDPR

A DPIA consists of a procedure aimed at describing the treatment, assessing its necessity and proportionality, and facilitating the management of risks for the rights and freedoms of individuals deriving from the processing of their personal data (through the assessment of these risks and the definition of appropriate measures to address them).

It is important that the risks to the interested parties are identified (not just the data breach impacts, but also considering the intrinsic risks of the processing which, even if safe and with a low exposure to risks of violations, could violate the privacy of the data subject). Therefore it is convenient to extend the analysis to compliance risk and risks related to the organization, since the privacy risks towards the interested party usually have associated risks of compliance and towards the organization.

Read full article: How to approach DPIAs under the GDPR

CNIL updates its PIA tool

French data protection authority CNIl has updated its PIA software to make the privacy impact assessment more practical and to foster collaboration between stakeholders.

The new features cover mainly the creation of the PIA report and on the tool’s workflow:

  • it is now possible to filter the information to be shown in the report;
  • the PIA’s visual elements (risk overview, risk mapping, action plan overview) are now visible on the report page and available for download;
  • the action plan can be downloaded in csv format in order to easily follow up on its implementation and/or to include it in existing internal project management processes;
  • several improvements were made to the workflow and contextual information was enhanced, in order to clarify the PIA steps.

Source: May 2018 updates for the PIA tool

Assess data protection impact before conducting internal investigations

Businesses that plan to carry out internal investigations into the conduct of their employees or agents are likely to need to carry out data protection impact assessments (DPIAs) first, DPIAs are now mandatory in certain circumstances under the GDPR.

Source: Assess data protection impact before conducting internal investigations

Belgian Privacy Commission Issues Recommendation on Data Protection Impact Assessment

The Belgian Privacy Commission (recently released a Recommendation (in French and Dutch) on Data Protection Impact Assessment (“DPIA”) and the prior consultation requirements under Articles 35 and 36 of the EU General Data Protection Regulation (“GDPR”).

The Recommendation aims to provide guidance on the core elements and requirements of a DPIA, the different actors involved and specific provisions.

Source: Belgian Privacy Commission Issues Recommendation on Data Protection Impact Assessment

UK’s DPA releases data protection self assessment tool

The ICO’s data protection self assessment toolkit helps you assess your organisation’s compliance with data protection law and helps you find out what you need to do to make sure you are keeping people’s personal data secure.

The toolkit is made up of a number of checklists which cover data protection assurance, how to get ready for the General Data Protection Regulation, information and cyber security, direct marketing in line with the Privacy and Electronic Communications Regulation (PECR), records management, data sharing and subject access, and CCTV.The data protection toolkit is suitable for all businesses and will be particularly helpful to small to medium enterprises.

Source: Data protection self assessment | ICO

Data Protection Impact Assessment

Article 35 of the GDPR provides for Data Protection Impact Assessments (DPIA). According to Article 35(1) a DPIA is required when “the processing [of data] is likely to result in a high risk to the rights and freedoms of natural persons.”

A DPIA should be carried out “prior to the processing” where a likely high risk processing is planned. data controller must choose a DPIA methodology or specify and implement a systematic DPIA process.

Source: DATA PROTECTION IMPACT ASSESSMENT

The Polish DPA’s draft list of triggers for mandatory DPIAs

In line with the Article 35(4) of the GDPR, the Polish Data Protection Authority prepared and published a draft list of the kind of processing operations subject to mandatory data protection impact assessment.

According to the authority statements, the list is based on more than twenty years of experience of the authority and reflects the requirements toward DPIAs highlighted by the Article 29 Working Party in Guidelines on Data Protection Impact Assessment and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, wp248rev.01.

Source: The Polish DPA’s draft list of triggers for mandatory DPIAs

Businesses face three month delay to ‘high risk’ data processing

Businesses could be forced to put major new technology projects on hold for more than three months if they trigger a duty to consult with the UK’s data protection authority on their plans to process personal data.

Organisations intending to use new technologies that involve the processing of personal data will be expected to carry out data protection impact assessments (DPIAs) before deploying those technologies under the new General Data Protection Regulation (GDPR), according to the Information Commissioner’s Office (ICO).

Source: Businesses face three month delay to ‘high risk’ data processing

AEPD guidelines on risk assessments and data protection impact assessments

To facilitate compliance with the General Data Protection Regulation, the Spanish Data Protection Agency, or AEPD, has published data protection impact assessment guidelines and risk assessment guidelines (in Spanish).

The guidelines provide information and examples about the concepts, measures and techniques that could be applied to identify, evaluate and manage the risks and high risks involved in the processing of personal data. The guidelines also help organizations know how to reduce such risks to an acceptable or tolerable level, meet individuals’ expectations of privacy, and comply with the GDPR.

Source: AEPD guidelines on risk assessments and data protection impact assessments

Spanish data protection guidance ‘should help with GDPR compliance’

New guidance produced by Spain’s data protection authority should help businesses determine what security measures they need in order to comply with new EU data protection laws.

La Agencia Española de Protección de Datos (AEPD) recently published guidance for organisations on how to assess the risks involved in personal data processing operations. It also updated existing guidance on conducting data protection impact assessments (DPIAs)

Source: Spanish data protection guidance ‘should help with GDPR compliance’

1 2 3
>