fbpx

Download free GDPR compliance checklist!

Tag Archives for " DPIA "

On privacy impact assessment and leaking data of millions of users

Anonymizing location data is hard. If you absolutely need to do this, better consult someone knowledgable.

Privacy impact assessments should not conform to fixed templates. These should be strict, technical analyses.

Full article: On privacy impact assessment and leaking data of millions of users

New DPIA on Microsoft Office and Windows software: still privacy risks remaining

Three new DPIAs, which Privacy Company has carried out for the central Dutch government, show that Microsoft has mitigated the eight previously identified privacy risks for Office 365 ProPlus through a combination of technical, organisational and contractual measures.

However, the new privacy conditions for the central Dutch government do not yet apply to the data processing via Windows 10 Enterprise or the mobile Office apps. Moreover, certain technical improvements that Microsoft has implemented in Office 365 ProPlus are not (yet) available in Office Online.

Therefore, SLM Rijk advises government institutions to, for the time being, refrain from using Office Online and the mobile Office apps, and to opt for the lowest possible level of data collection in Windows 10.

Full article: New DPIA on Microsoft Office and Windows software: still privacy risks remaining (long blog)

The Spanish DPA publishes a list of processing operations for which a DPIA is mandatory

After having received the favorable opinion of the European Data Protection Board, the Spanish Data Protection Agency (“AEPD”) released last 6th May a list of processing operations for which it is necessary to carry out a privacy impact assessment.

Although the GDPR establishes criteria that help to identify those processing operations that involve a high risk, the supervisory authorities shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment. In this context, the AEPD has published a list of processing operations determining that in the majority of cases where the processing meets two or more of the criteria on the list, a PIA will be necessary. The more criteria met by the processing analyzed, the greater the risk involved and the certainty of the need for a PIA.

Full article: The Spanish Data Protection Agency has published a list of processing operations for which a privacy impact assessment is mandatory

Belgian DPA Publishes Updated List of Processing Activities Requiring DPIA

The Belgian Data Protection Authority recently published (in French and in Dutch) the updated list of the types of processing activities which require a data protection impact assessment (“DPIA”).

Article 35(4) of the EU General Data Protection Regulation (“GDPR”) obligates supervisory authorities to establish a list of the processing operations that require a DPIA and transmit it to the European Data Protection Board (the “EDPB”).

The Belgian DPA asserts that this list is neither exhaustive nor final and could be modified in the future.

Source: Belgian DPA Publishes Updated List of Processing Activities Requiring DPIA

ICO updates data protection impact assessment guide

The revised guidance, published by the Information Commissioner’s Office (ICO), contains changes in response to recommendations issued by an EU-wide data protection watchdog.

In October, the European Data Protection Board (EDPB) called on the ICO to update its DPIA guidance after finding the ICO had been too strict with some of its examples of when DPIAs need to be conducted.

Full article: ICO updates data protection impact assessment guide

CNIL Publishes DPIA Guidelines and List of Processing Operations Subject To DPIA

On November 6, 2018, the French Data Protection Authority (the “CNIL”) published its own guidelines on data protection impact assessments (the “Guidelines”) and a list of processing operations that require a data protection impact assessment (“DPIA”).

Source: CNIL Publishes DPIA Guidelines and List of Processing Operations Subject To DPIA

What’s subject to a DPIA under the GDPR?

Under the European Data Protection Regulation, data protection impact assessments are required when data processing is “likely to result in a high risk to the rights and freedoms of natural persons.” Exactly what “high risk” entails, however, has been a difficult question to answer.

he supervisory authorities of 22 Member States submitted draft lists to the European Data Protection Board identifying data processing activities likely to result in a high risk and therefore require DPIAs. The EDPB subsequently issued opinions on each of these lists.

Source: What’s subject to a DPIA under the GDPR? EDPB on draft lists of 22 supervisory authorities

EDPB: ICO too strict on data protection impact assessments

The opinion, issued by the European Data Protection Board (EDPB), differs from guidance the UK’s Information Commissioner’s Office (ICO) has issued on DPIAs. Businesses planning to process biometric, genetic or location data do not automatically have to carry out a data protection impact assessment (DPIA) first to comply with the General Data Protection Regulation (GDPR), an EU privacy watchdog has said.

The ICO is not bound to update its guidance in light of the EDPB’s opinion, but must justify its reasons for not doing so if “it does not intend to follow this opinion, in whole or in part”, the EDPB said

Source: EDPB: ICO too strict on data protection impact assessments

Do I need a Data Protection Impact Assessment to avoid GDPR fines?

Essentially, Data Protection Impact Assessment (DPIA) is a tool that is proposed under the General Data Protection Regulation (GDPR) for doing a risk analysis of the threats that a processing activity in a business entails. If your business has sensitive or large scale data, then, DPIA becomes relevant to you ensure compliance with data protection principles and to avoid GDPR fines.

Read more: Do I need a Data Protection Impact Assessment to avoid GDPR fines? | ECOMPLY.io

How to approach DPIAs under the GDPR

The guiding principles of the General Data Protection Regulation stimulate organizations to address the issue of compliance with an approach based on continuous risk assessment, dropping formal approaches adopted so far.

The most appropriate response to support the profound changes required by the GDPR is the implementation of a privacy management model (PMS, or privacy management system), hopefully integrated with the other business management systems, adopted to guarantee the company the compliance with voluntary certification schemes or compliance with mandatory regulations.

Read fill article: How to approach DPIAs under the GDPR

1 2 3 4
>