SlideShare une entreprise Scribd logo

DPIA template

Télécharger en tant que DOCX, PDF
T
Tommy Vandepitte

An example of how a template for a data protection impact assessment (art. 35 GDPR) could look like.

Formation
1  sur  10
Template for DPIA (EN) Page: 1 Data Protection Impact Assessment (DPIA) pursuantto Art. 35 GDPR, Recitals 84, 89, 90, 91, 92 Title of the project: Title Initial creation of DPIA: DD.MM.YYYY by Name Surname Last check: DD.MM.YYYY by Name Surname Next check due: DD.MM.YYYY The sections in gray, like this one, are meantto provide “in document” guidance on how to use this template.In general spaces where you are to insertinformation Contents 1. Project 2 2. Need for a data protection impact assessment 2 3. Description of the (planned) processing 3 3.1. Overview / summary / visual 3 3.2. Scope of the processing 4 3.3. Nature of the processing 4 3.4. Context of the processing 5 3.5. Purpose of the processing 5 4. Check of purpose of the processing v legal framework 5 4.1. (Business) purpose(s) for processing the personal data 5 4.2. Link of the purpose with the basis for legitimate processing 6 4.3. Check of the necessity and proportionality of the processing 7 5. Assessment of the (inherent) risks for the data subjects 8 6. Data protection by Design 9 6.1. General 9 6.2. Specific measures 9 7. Assessment of the (residual) risks for the data subjects 9 8. Involvement of the data protection authority 9 8. Concluding remarks 10
Template for DPIA (EN) Page: 2 1. Project This chapter allows for a tie in with the project in which the data processing is looked at, either to be developed or to be changed.This is nota mandatorychapter in a DPIA,but helps to putthe DPIA in the larger business operations context of the organisation. Please, give the official references and a short description of the project, as the case may be – to avoid redundancy - by referring to relevant documents such as the project charter or a process description. 2. Need for a data protectionimpact assessment A data protection impactassessmentis considered necessarywhen a data processing operation is “likely to result in a high risk to the rights and freedoms of natural persons” (art. 35 §1 GDPR). This is assumed to be the case in case of (art. 35 §3 GDPR) ● a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions arebased that produce legal effects concerning the naturalperson or similarly significantly affect the natural person ● processing on a large scale of special categories of data referred to in Article 9(1) (e.g. racial or ethnic origin, health data, political opinions, religious beliefs, or trade union membership), or of personal data relating to criminal convictions and offences referred to in Article 10 GDPR ● a systematic monitoring of a publicly accessible area on a large scale This is elaborated by the data protection authorities to: ● Evaluation or scoring ● Automated decision-making with significant effects ● Systematic monitoring ● Processing of sensitive data or data of a highly personal nature ● Processing on a large scale ● Processing of data concerning vulnerable data subjects ● Innovative technological or organisational solutions ● Processing preventing data subjects from exercising a right or using a service or contract ● Data transfer across borders outside the European Union Detailed explanations can be found in the guidelines provided in WP248 of theArticle 29 Working Party which were endorsed by the EDPB. Note that the ”rights and freedoms of natural persons” that may be at risk are not only privacy (in the broad sense including self-development) and data protection, but also such rights and freedoms as the right to life, the right to bodily integrity and the right not to be discriminated against. There is a / no risk to the rights and freedoms of natural persons due to [Please, indicate what risks you have identified (with some brief explanation), e.g.] - Privacy of the individuals (data subjects), including reputational damage or the inability to access services or opportunities - Data protection of the individuals (data subjects), including loss of confidentiality - Identity theft - Inability to exercise one’s rights - Discrimination of the individuals (data subjects) - Retaliation against the individuals (data subjects) - Bodily harm to the individuals (data subjects) - Threat of life for the individuals (data subjects)
Template for DPIA (EN) Page: 3 We think the risk to the rights and freedoms of natural persons is (not) high due to [Please, give reasons why DPIA is needed (or not), e.g.] ● Person data being transferred around the globe ● Processing of vulnerable data subjects, e.g. workers in a potentially dangerous situation ● Processing of sensitive data (e.g. racial or ethnical origin, health data, political opinions, religious beliefs, or trade union membership) ● Processing for which it is impossible or unlikely that the data subject will exercise their data subject rights (against the organisation) If the conclusion is that the risk to the rights and freedoms of natural persons is NOT high, such should be argued. In that case the data processing operation nevertheless needs to be notified to the data protection officer (or in its absence the legal office) to ensure that it is registered in the data processing register (art. 30 GDPR), which requires a description of the data processing anyway. If this DPIA is completed and provided to the data protection officer (or in its absence thelegal office), they will ensure that the data processing is inserted in the data processing register based on the information in this DPIA. 3. Description ofthe (planned)processing This section aims to address the requirement to insert “a systematic description of the envisaged processing operations and the purposes of the processing” in the DPIA (art. 35 §7 a GDPR). Remember that processing is broadly defined as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation,structuring, storage, adaptation or alteration, retrieval, consultation,use,disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (art. 4 (2) GDPR). The goal is to have a good view on the data processing.The (sub-)sections are merelythere in supportthereof. If the description works better and is still complete through another formator presentation,the (sub-) sections can be suppressed. 3.1. Overview / summary / visual This section allows to provide an overview of the processing end-to-end in a single summary description, ideally with a visual of the data flows. The idea is to give the reader of this DPIA a global idea of the data processing without having to read the details in the other (sub-)sections of this chapter 2. [Please, give an overview of the data processing, as the case may be supported by a visual depiction of the data flows.] 3.2. Scope of the processing This section allows to provide information on the scope of the processing, in other words what the processing covers. Such includes the categoryofthe personal data,the volume and varietyof the personal data,the sensitivity of the personal data,the extent and frequencyof the processing,the duration ofthe process ing,the number ofdata subjects involved, the geographical area covered,…
Template for DPIA (EN) Page: 4 [Please, define the scope of data processing, e.g. with the following sections:] (a) Data subjects in scope a. types of data subjects in scope b. estimated volume of data subjects in scope (b) Personal data in scope a. categories of personal data in scope b. estimated volume of data (points) per data subject in scope (c) Temporal scope a. frequency of data updates b. (longest) data retention (d) Geographical scope (e) Personal scope (parties involved) a. Controller b. Processor 3.3. Nature of the processing This section allows to provide information on the nature of the processing,in other words what we plan to do with the personal data. Such includes:how we collectthe data, how we store the data, how we use the data, who has access to the data, who we share the data with, whether we use any processors, retention periods, security measures (so-called technical and organisational measures), whether we are using any new technologies (AI, blockchain,etc.), whether we are using any novel types of processing,which screening criteria have been flagged as likely high risk,… [Please, define the nature of data processing, e.g. with the following sections:] (a) Data collection a. Who collects? b. Where does the collection happen (geographically)? c. How is it collected? d. From who is it collected? (source: data subject, third party, data broker,…) (b) Data storage a. Who stores / is responsible for the storage? b. Where is it stored (geographically, “in the cloud”)? (c) Access to the data a. Who (parties or categories of recipients) will have direct access to the data? b. Who (parties or categories of recipients) will the data be shared with? (d) Data use (in the broadest sense) a. Who will do what with the data? (e) Security of the processing (f) Data destruction
Template for DPIA (EN) Page: 5 3.4. Context of the processing This section allows to provide information on the context of the processing, in other words the wider picture, including internal and external factors which mightaffect expectations or impact.Such includes:the source of the data,the nature ofour relationshipwith the individuals (data subjects),the extentto which individuals (data subjects) have control over their data, the extent to which individuals (data subjects) are likely to expect the processing, whether they include children or other vulnerable people,any previous experience of this type of processing,any relevant advances in technology or security, any current issues of public concern, whether any data protection codes of conduct or certification schemes will be complied with (once any have been approved), whether relevant codes of practice have been considered and complied with, … Reference is made to the project description in chapter 1 of this document. [Please, define the further context of data processing, should such be relevant.] 3.5. Purpose of the processing The purpose of the processing is the reason why we want to process the personal data.Such includes:a legal obligation,a contractual obligation (ofours or third parties we technicallyor organisationallysupport),an interestof the organisationor its members,the intended outcome for individuals (data subjects),the expected benefits for the organisation or society as a whole,… Reference is made to chapter 4 of this document. 4. Check of purpose ofthe processing v legalframework This section aims to address the requirement to insert “(a systematic description of) (…) the purposes of the processing” and “an assessmentof the necessity and proportionality ofthe processing operations in relation to the purposes” in the DPIA (art. 35 §7 a and b GDPR). The purpose bound nature of processing is a basic principle of the data protection legislation (art. 5 §1 b GDPR): personal data mustonly“be collected for specified,explicitand legitimate purposes and notfurther processed in a manner that is incompatible with those purposes”. 4.1. (Business) purpose(s) for processing the personal data [Please, define the (business) purpose(s) of data processing e.g. new or change to existing service for the customers, digitalisation of an existing HR process for payroll administratie,… ] 4.2. Link of the purpose with the basis for legitimate processing Lawful processing is a basic principle of the data protection legislation (art. 5 §1 a GDPR). It is expressed for all data processing and with additional requirements / restrictions for processing of special categories of data and transfer of data outside of the EU. (1) General basis for legitimate processing This section focusses on the application ofone of the six general basis for legitimate processing mentioned in art. 6 §1 GDPR, mainly: (a) consentof the data subject(with special attention for the requirements for and weakness of such consent(art. 7 and 8 GDPR), (b) performance ofa contract to which the data subjectis party or in order to take steps at the requestof the data subjectprior to entering into a contract, (c) compliance with a legal obli gation
Template for DPIA (EN) Page: 6 to which the controller is subject(careful aboutlegal obligations outside ofEU),and (d) legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. [Please, determine the (main) legal basis for the (different) processing (operations) of all personal data in scope by referring to one of the legal bases and explaining how it applies in this case, so] (a) In case of consent: demonstrate how consent is retrieved and can be proven (b) In case of a contract: reference to the (draft / template) contract (c) In case of a legal obligation: reference to the source of the legal obligation, as the case may be the joint reading of multiple provisions (d) In case of a legitimate interest: make the interest(s) explicit and prepare to explain in depth in section 4.3 how the individual rights of the data subjects are not overriding that (those) interest(s) (2) Basis for legitimate processing in case of special categories of data If and when special categories of data are processed, such requires an additional basis for legitimate processing (art. 9 and 10 GDPR). The categories of data referred to are in particular “data revealing racial or ethnic origin, political opinions,religious or philosophical beliefs,or trade union membership,and the processing ofgenetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”,and “data relating to criminal convictions and offences or related security measures”.For the latter categorywe should onlyprocess those ifthere is a legal basis for such processing. Note that beyond that specific legal provision mayspecificallyprotectother categories ofdata, such as cardholder data ( (e.g. PCI-DSS) or other financial data,national register numbers,social securitynumbers or other identifiers of general use by the government or other bodies, ... [Please, determine the (main) legal basis for the (different) processing (operations) of special categories of personal data in scope by referring to one of the legal bases and explaining how it applies in this case, so for example] (a) In case of a legal obligation: reference to the source of the legal obligation, as the case may be the joint reading of multiple provisions (b) In case of a explicit consent: reference to the (draft / template) contract (c) In case of establishment, exercise or defence of legal claims: the reference to the type of legal claims and the parties to the claim (claimant and defendant) (3) Basis for legitimate processing in case of transfer outside of EU This section focusses on the application ofthree main mechanisms to supportstructural transfers ofpersonal data outside of the EU, namely (a) the countries involved are considered to provide equivalent or adequate data protection (art. 45 GDPR + website EC), (b) standard contractual clauses (art. 46 §2 c and d io. 93 §2 GDPR + website EC),or (c) binding corporate rules (art.47 GDPR + website EDPB).Only for “one off” / occasionaltransfers can the derogations be looked at (art. 49 GDPR). Note that at leastsince the so-called Schrems IIdecision (C-311/18) the transfer ofpersonal data outside ofthe EU also requires an analysis of the legal system in the receiving countries to assess the data protection risk for the
Template for DPIA (EN) Page: 7 data subjects and to develop measures (like encryption and contractual arrangement) thatkeep the data protecti on risk (for the data subjects) low. Only in case of an adequacy decision (art. 45 GDPR) such is not required. [Please, define the (business) purpose(s) of data processing e.g. new or change to existing service for the customers, digitalisation of an existing HR process for payroll administratie,… ] (4) Local law legitimacy requirement This section allows for insertion of local law that may apply, especially outside of the EU. [OR We are not aware of any local law that in addition needs to be applied to come to a legitimate processing of the information.] [OR The following local law was brought to our attention and has the following impact for the legitimate processing of the information: (…)] 4.3. Check of the necessity and proportionality of the processing (1) Necessity of the processing In each of the basis for legitimate processing there is a necessitywording,i.e. only the necessarydata processing can be legitimized. By consequence only the necessary processing can lawfully be performed. [Please, argue that and how all processing described is necessary in reaching the purposes defined.] (2) Data minimisation Data minimisation is a basic principleofthe data protection legislation (art.5 §1 c GDPR): personal data must(only) processed ifitis “adequate,relevantand limited to what is necessary in relation to the purposes for which they are processed”.In other words only the minimum amountofrelevant data should be processed and such assessment should in principle be applied at each stage of the end-to-end process. [Please, argue that and how only the minimum amount of relevant data is to be processed.] (3) Avoidance of “function creep” Function creep is the situation where data processed for one (bundle of) purposes is (later) reused for other purposes, mainly because “we have the data anyway”. [Please, argue that and how function creep is avoided.]
Template for DPIA (EN) Page: 8 (4) Only need-to-know access A limitation ofthe access to the data to only those people and parties thathave a need-to-know is an application of the proportionality principle (art. 5 §1 f, 28, 29 and 32 GDPR). [Please, argue that and how the (relevant) data is only accessible by / shared with people with a need to know. Note that in principle the parties involved will be in more detail be mentioned in section 3.3.] (5) Time limitation (“storage limitation”) Storage limitation is a basic principleofthe data protection legislation (art.5 §1 e GDPR): personal data must(only) processed ifitis “keptin a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”. In other words: data should only be kept if there is a demonstrable (legal) obligation (e.g.in supportof accounting) or need to keep it (e.g. to demonstrate execution of an agreement),and no overriding (legal) obligation to destroy the data (e.g. a legal maximum retention period).If there is no longer a need to keep the data, it will be hard to argue longer retention. [Please, argue that and how the (relevant) data is kept for as long as needed. Note that in principle the retention period is mentioned in section 3.3.] 5. Assessment of the (inherent) risks for the data subjects A third mandatorypart of a DPIA is “an assessmentof the risk to the rights and freedoms of data subjects” (art. 35 §7 c GDPR). Reference is made to section 2 for the (preliminary assessment of the inherent risks for the data subjects). [The reference above can suffice in some cases. This here is just an opportunity, but no need, to elaborate more extensively on the risks you have identified in section 2. You may do that by going through some “worst case” scenarios which impact the data subjects and for each of them determining the (worst) possible impact of the data subject and the probability for such an impact to realise itself, thus resulting in a risk score. Scenarios to consider are: breach of confidentiality (e.g. the data is published on a wikileaks like website, in possession of a bad actor, or shared with a foreign government), breach of integrity (the data is knowingly or unbeknownst to us changed or corrupted), breach of availability (the data is lost or encrypted through ransomware), ] 6. Data protection by Design An importantpart of the principle ofaccountability(art. 5 §2 GDPR) is the duty for the controller (art. 25 §1 GDPR) to “implementappropriate technicaland organisationalmeasures” “which are designedto implementdata protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meetthe requirements of (the GDPR) and protect the rights of data subjects”, under the following conditions: - “taking into accountthe state of the art, the cost of implementationand the nature,scope,context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing” - “both at the time of the determination of the means for processing and at the time of the processing itself”
Template for DPIA (EN) Page: 9 This obligation includes the obligation for security by design, i.e. “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk ” (art. 32 GDPR). 6.1. General [Please, argue in general that and how the (personal) data processing is set up with data protection in mind.] 6.2. Specific measures The specific measures taken can be categorised in a number of ways. Frameworks for information security, such as ISO27000 series and NIST800-53 can also provide interesting inspiration. Article 32 §1 GDPR itself refers to “(a) the pseudonymisation and encryption of personal data, (b) the ability to ensure the ongoing confidentiality,integrity,availability and resilience of processing systems and services, (c) the ability to restore the availability and access to personal data in a timely manner in the eventofa physical or technical incident, (d) a process for regularly testing, assessing and evaluating the effectiveness o f technical and organisational measures for ensuring the security of the processing”. [Please, insert information on the specific measures (to be) taken, e.g.] - Deciding not to collect certain types of data. - Reducing the scope of the processing. - Anonymising or pseudonymising data where and as soon as possible. - Reducing retention periods. - Using a different technology. - Taking additional technological security measures. - Writing internal guidance or processes to avoid risks. - Instructing and training (relevant) staff to ensure risks are anticipated and managed. - Putting clear data sharing agreements into place, especially with processors (art. 28 GDPR) or joint controllers (art. 26 GDPR). - Ensure audit assurance on the data protecessing, especially when performed by third parties (processors or joint controllers). - Making changes to privacy statement to increase transparency for the data subject (art. 12-14 GDPR). - Offering individuals the chance to opt out, where appropriate. - Implementing new systems to help individuals to exercise their rights (art. 12- 23 GDPR). - Adding a human element to review automated decisions (art. 22 GDPR), if any. 7. Assessment of the (residual) risks for the data subjects A third mandatorypart of a DPIA is “an assessmentof the risk to the rights and freedoms of data subjects” (art. 35 §7 c GDPR). The inherentrisks,so in principle PRIOR to the measures described in chapter 6, should be setout in chapters 2 and/or 5. This chapter looks at the risk AFTER the (implementation of) the measures described in chapter 6, to determine what the level of the residual risk is for the data subjects.
Template for DPIA (EN) Page: 10 [EITHER] After the measures described (see chapter 6), we assess the (residuals) risks for the data subjects to be mitigated to a reasonable, low level of risks. We still identify the following risks and aim to control them as indicated above: [Please, indicate what risks you still identify and the level you assess them at (with some brief explanation), e.g.] - Privacy of the individuals (data subjects) - Data protection of the individuals (data subjects) - Discrimination of the individuals (data subjects) - Retaliation against the individuals (data subjects) - Bodily harm to the individuals (data subjects) - Threat of life for the individuals (data subjects) [OR] After the measures described (see chapter 6), we assess the (residuals) risks for the data subjects to be mitigated, but still to be at a high level. Reference is made to chapter 8 below. 8. Involvementof the data protection authority If and when the DPIA leads to the resultthat even after the mitigating measures the risks for the data subjects are still high, the organisation must consult with the Data Protection Authority (in Belgium the Gegevensbeschermingsautoriteit or Autorité de Protection des Données) (art.36 §3 GDPR). Any such consultation will be performed via the data protection officer (or in the absence thereofthe legal office) of the organisation,or as the case may be, supported by an (external) legal counsel. [DEFAULT] No data protection authority was involved, as such was not necessary. [WHEN CONSULTED] The Belgian data protection authority was consulted via a case file (art. 36 §6 GDPR) provided to it on (date). The result of the consultation was as follows: (insert result). 9. Concluding remarks [Please, state in short what conclusion you took from the final DPIA.] [e.g. the open actions are integrated in the action log for the project.]

Recommandé

Data Security - English
Data Security - EnglishData Security - English
Data Security - EnglishData Security
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy Amiit Keshav Naik
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityJisc Scotland
 
Data recovery
Data recoveryData recovery
Data recoveryNithin Sathees
 
Data Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsData Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsAT Internet
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy IntroductionG Prachi
 
Overview of Microsoft Teams and Data Loss Prevention(DLP)
Overview of Microsoft Teams and Data Loss Prevention(DLP)Overview of Microsoft Teams and Data Loss Prevention(DLP)
Overview of Microsoft Teams and Data Loss Prevention(DLP)Radhakrishnan Govindan
 
Overview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyOverview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyLiwei Ren任力偉
 

Recommandé

Data Security - English
Data Security - EnglishData Security - English
Data Security - EnglishData Security
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy Amiit Keshav Naik
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityJisc Scotland
 
Data recovery
Data recoveryData recovery
Data recoveryNithin Sathees
 
Data Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsData Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsAT Internet
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy IntroductionG Prachi
 
Overview of Microsoft Teams and Data Loss Prevention(DLP)
Overview of Microsoft Teams and Data Loss Prevention(DLP)Overview of Microsoft Teams and Data Loss Prevention(DLP)
Overview of Microsoft Teams and Data Loss Prevention(DLP)Radhakrishnan Govindan
 
Overview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyOverview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyLiwei Ren任力偉
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & SecurityEryk Budi Pratama
 
Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0DallasHaselhorst
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation tomasztopa
 
ETL Process
ETL ProcessETL Process
ETL ProcessRohin Rangnekar
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationBCC - Solutions for IBM Collaboration Software
 
Wallchart - Data Warehouse Documentation Roadmap
Wallchart - Data Warehouse Documentation RoadmapWallchart - Data Warehouse Documentation Roadmap
Wallchart - Data Warehouse Documentation RoadmapDavid Walker
 
Security and Integrity of Data
Security and Integrity of DataSecurity and Integrity of Data
Security and Integrity of DataAdeel Riaz
 
Big data
Big dataBig data
Big datahsn99
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityBharath Rao
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness TrainingDave Monahan
 
Data Preprocessing
Data PreprocessingData Preprocessing
Data PreprocessingT Kavitha
 
Data Modeling Techniques
Data Modeling TechniquesData Modeling Techniques
Data Modeling TechniquesDATAVERSITY
 
Data Privacy in the DMBOK - No Need to Reinvent the Wheel
Data Privacy in the DMBOK - No Need to Reinvent the WheelData Privacy in the DMBOK - No Need to Reinvent the Wheel
Data Privacy in the DMBOK - No Need to Reinvent the WheelDATAVERSITY
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensicsGaurav Ragtah
 
NIST CSF Overview
NIST CSF OverviewNIST CSF Overview
NIST CSF OverviewPriyanka Aash
 
Data Governance
Data GovernanceData Governance
Data GovernanceSambaSoup
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDmitriy Scherbina
 
GDPR, Data Privacy.
GDPR, Data Privacy.GDPR, Data Privacy.
GDPR, Data Privacy.Liviu Claudiu Cismaru
 
Implications of the European Data Protection Regulations for Learning Analyti...
Implications of the European Data Protection Regulations for Learning Analyti...Implications of the European Data Protection Regulations for Learning Analyti...
Implications of the European Data Protection Regulations for Learning Analyti...Tore Hoel
 

Contenu connexe

Tendances

Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0DallasHaselhorst
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation tomasztopa
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Wallchart - Data Warehouse Documentation Roadmap
Wallchart - Data Warehouse Documentation RoadmapWallchart - Data Warehouse Documentation Roadmap
Wallchart - Data Warehouse Documentation RoadmapDavid Walker
 
Security and Integrity of Data
Security and Integrity of DataSecurity and Integrity of Data
Security and Integrity of DataAdeel Riaz
 
Big data
Big dataBig data
Big datahsn99
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityBharath Rao
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness TrainingDave Monahan
 
Data Preprocessing
Data PreprocessingData Preprocessing
Data PreprocessingT Kavitha
 
Data Modeling Techniques
Data Modeling TechniquesData Modeling Techniques
Data Modeling TechniquesDATAVERSITY
 
Data Privacy in the DMBOK - No Need to Reinvent the Wheel
Data Privacy in the DMBOK - No Need to Reinvent the WheelData Privacy in the DMBOK - No Need to Reinvent the Wheel
Data Privacy in the DMBOK - No Need to Reinvent the WheelDATAVERSITY
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensicsGaurav Ragtah
 
Data Governance
Data GovernanceData Governance
Data GovernanceSambaSoup
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 

Tendances (20)

Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
 
Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation
 
ETL Process
ETL ProcessETL Process
ETL Process
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentation
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
Wallchart - Data Warehouse Documentation Roadmap
Wallchart - Data Warehouse Documentation RoadmapWallchart - Data Warehouse Documentation Roadmap
Wallchart - Data Warehouse Documentation Roadmap
 
Security and Integrity of Data
Security and Integrity of DataSecurity and Integrity of Data
Security and Integrity of Data
 
Big data
Big dataBig data
Big data
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information Security
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
 
Data Preprocessing
Data PreprocessingData Preprocessing
Data Preprocessing
 
Data Modeling Techniques
Data Modeling TechniquesData Modeling Techniques
Data Modeling Techniques
 
Data Privacy in the DMBOK - No Need to Reinvent the Wheel
Data Privacy in the DMBOK - No Need to Reinvent the WheelData Privacy in the DMBOK - No Need to Reinvent the Wheel
Data Privacy in the DMBOK - No Need to Reinvent the Wheel
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensics
 
NIST CSF Overview
NIST CSF OverviewNIST CSF Overview
NIST CSF Overview
 
Data Governance
Data GovernanceData Governance
Data Governance
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 

Similaire à DPIA template

Implications of the European Data Protection Regulations for Learning Analyti...
Implications of the European Data Protection Regulations for Learning Analyti...Implications of the European Data Protection Regulations for Learning Analyti...
Implications of the European Data Protection Regulations for Learning Analyti...Tore Hoel
 
250220 blockchain gdpr_blockchain_hillemann_presentation
250220 blockchain gdpr_blockchain_hillemann_presentation250220 blockchain gdpr_blockchain_hillemann_presentation
250220 blockchain gdpr_blockchain_hillemann_presentationDennisHillemann
 
How MongoDB can accelerate a path to GDPR compliance
How MongoDB can accelerate a path to GDPR complianceHow MongoDB can accelerate a path to GDPR compliance
How MongoDB can accelerate a path to GDPR complianceMongoDB
 
A de minimis rule for personal data breach notifications in the GDPR
A de minimis rule for personal data breach notifications in the GDPRA de minimis rule for personal data breach notifications in the GDPR
A de minimis rule for personal data breach notifications in the GDPRLiberty Global
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...PECB
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for developmentTomppa Järvinen
 
Pronti per la legge sulla data protection GDPR? No Panic! - Stefano Sali, Dom...
Pronti per la legge sulla data protection GDPR? No Panic! - Stefano Sali, Dom...Pronti per la legge sulla data protection GDPR? No Panic! - Stefano Sali, Dom...
Pronti per la legge sulla data protection GDPR? No Panic! - Stefano Sali, Dom...Codemotion
 
Is Encryption the Only Key to GDPR?
Is Encryption the Only Key to GDPR?Is Encryption the Only Key to GDPR?
Is Encryption the Only Key to GDPR?Joe Orlando
 
DATA SCIENCE METHODOLOGY FOR CYBERSECURITY PROJECTS
DATA SCIENCE METHODOLOGY FOR CYBERSECURITY PROJECTS DATA SCIENCE METHODOLOGY FOR CYBERSECURITY PROJECTS
DATA SCIENCE METHODOLOGY FOR CYBERSECURITY PROJECTS cscpconf
 
Kyte GDPR Compliance - Offered Services
Kyte GDPR Compliance - Offered ServicesKyte GDPR Compliance - Offered Services
Kyte GDPR Compliance - Offered ServicesKyte Consultants Ltd.
 
Are You GDPR Ready?
Are You GDPR Ready?Are You GDPR Ready?
Are You GDPR Ready?NICSA
 
GDPR: Protecting Your Data
GDPR: Protecting Your DataGDPR: Protecting Your Data
GDPR: Protecting Your DataUlf Mattsson
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorMSpadea
 
Cluster Based Access Privilege Management Scheme for Databases
Cluster Based Access Privilege Management Scheme for DatabasesCluster Based Access Privilege Management Scheme for Databases
Cluster Based Access Privilege Management Scheme for DatabasesEditor IJMTER
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...Codemotion
 
Big Data: Privacy and Security Aspects
Big Data: Privacy and Security AspectsBig Data: Privacy and Security Aspects
Big Data: Privacy and Security AspectsIRJET Journal
 

Similaire à DPIA template (20)

GDPR, Data Privacy.
GDPR, Data Privacy.GDPR, Data Privacy.
GDPR, Data Privacy.
 
Implications of the European Data Protection Regulations for Learning Analyti...
Implications of the European Data Protection Regulations for Learning Analyti...Implications of the European Data Protection Regulations for Learning Analyti...
Implications of the European Data Protection Regulations for Learning Analyti...
 
250220 blockchain gdpr_blockchain_hillemann_presentation
250220 blockchain gdpr_blockchain_hillemann_presentation250220 blockchain gdpr_blockchain_hillemann_presentation
250220 blockchain gdpr_blockchain_hillemann_presentation
 
How MongoDB can accelerate a path to GDPR compliance
How MongoDB can accelerate a path to GDPR complianceHow MongoDB can accelerate a path to GDPR compliance
How MongoDB can accelerate a path to GDPR compliance
 
A de minimis rule for personal data breach notifications in the GDPR
A de minimis rule for personal data breach notifications in the GDPRA de minimis rule for personal data breach notifications in the GDPR
A de minimis rule for personal data breach notifications in the GDPR
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for development
 
Pronti per la legge sulla data protection GDPR? No Panic! - Stefano Sali, Dom...
Pronti per la legge sulla data protection GDPR? No Panic! - Stefano Sali, Dom...Pronti per la legge sulla data protection GDPR? No Panic! - Stefano Sali, Dom...
Pronti per la legge sulla data protection GDPR? No Panic! - Stefano Sali, Dom...
 
Is Encryption the Only Key to GDPR?
Is Encryption the Only Key to GDPR?Is Encryption the Only Key to GDPR?
Is Encryption the Only Key to GDPR?
 
Privacy by Design: legal perspective
Privacy by Design: legal perspectivePrivacy by Design: legal perspective
Privacy by Design: legal perspective
 
DATA SCIENCE METHODOLOGY FOR CYBERSECURITY PROJECTS
DATA SCIENCE METHODOLOGY FOR CYBERSECURITY PROJECTS DATA SCIENCE METHODOLOGY FOR CYBERSECURITY PROJECTS
DATA SCIENCE METHODOLOGY FOR CYBERSECURITY PROJECTS
 
Kyte GDPR Compliance - Offered Services
Kyte GDPR Compliance - Offered ServicesKyte GDPR Compliance - Offered Services
Kyte GDPR Compliance - Offered Services
 
Are You GDPR Ready?
Are You GDPR Ready?Are You GDPR Ready?
Are You GDPR Ready?
 
GDPR: Protecting Your Data
GDPR: Protecting Your DataGDPR: Protecting Your Data
GDPR: Protecting Your Data
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services Sector
 
Cluster Based Access Privilege Management Scheme for Databases
Cluster Based Access Privilege Management Scheme for DatabasesCluster Based Access Privilege Management Scheme for Databases
Cluster Based Access Privilege Management Scheme for Databases
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
 
Big Data: Privacy and Security Aspects
Big Data: Privacy and Security AspectsBig Data: Privacy and Security Aspects
Big Data: Privacy and Security Aspects
 
Data attribute security and privacy in Collaborative distributed database Pub...
Data attribute security and privacy in Collaborative distributed database Pub...Data attribute security and privacy in Collaborative distributed database Pub...
Data attribute security and privacy in Collaborative distributed database Pub...
 

Plus de Tommy Vandepitte

Gegevensbescherming-clausule in (overheids)opdracht
Gegevensbescherming-clausule in (overheids)opdrachtGegevensbescherming-clausule in (overheids)opdracht
Gegevensbescherming-clausule in (overheids)opdrachtTommy Vandepitte
 
20190131 - Presentation Q&A on legislation's influence (on travel management)
20190131 - Presentation Q&A on legislation's influence (on travel management)20190131 - Presentation Q&A on legislation's influence (on travel management)
20190131 - Presentation Q&A on legislation's influence (on travel management)Tommy Vandepitte
 
GDPR toegepast op huur-verhuur (Dutch)
GDPR toegepast op huur-verhuur (Dutch)GDPR toegepast op huur-verhuur (Dutch)
GDPR toegepast op huur-verhuur (Dutch)Tommy Vandepitte
 
Controller-to-processor agreements
Controller-to-processor agreementsController-to-processor agreements
Controller-to-processor agreementsTommy Vandepitte
 
Gegevensbescherming makelaars
Gegevensbescherming makelaarsGegevensbescherming makelaars
Gegevensbescherming makelaarsTommy Vandepitte
 
EEAS - Cultivate your data protection
EEAS - Cultivate your data protectionEEAS - Cultivate your data protection
EEAS - Cultivate your data protectionTommy Vandepitte
 
Presentation for the LSEC GDPR event - 20171130
Presentation for the LSEC GDPR event - 20171130Presentation for the LSEC GDPR event - 20171130
Presentation for the LSEC GDPR event - 20171130Tommy Vandepitte
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by designTommy Vandepitte
 
GDPR voor steden en gemeenten (Dutch)
GDPR voor steden en gemeenten (Dutch)GDPR voor steden en gemeenten (Dutch)
GDPR voor steden en gemeenten (Dutch)Tommy Vandepitte
 
GDPR project board deck (example)
GDPR project board deck (example)GDPR project board deck (example)
GDPR project board deck (example)Tommy Vandepitte
 
IS/DPP for staff #8 - Monitoring
IS/DPP for staff #8 - MonitoringIS/DPP for staff #8 - Monitoring
IS/DPP for staff #8 - MonitoringTommy Vandepitte
 
IS/DPP for staff #7 - Incidents
IS/DPP for staff #7 - IncidentsIS/DPP for staff #7 - Incidents
IS/DPP for staff #7 - IncidentsTommy Vandepitte
 
IS/DPP for staff #6 - Acceptable use
IS/DPP for staff #6 - Acceptable useIS/DPP for staff #6 - Acceptable use
IS/DPP for staff #6 - Acceptable useTommy Vandepitte
 
IS/DPP for staff #5b - Passwords
IS/DPP for staff #5b - PasswordsIS/DPP for staff #5b - Passwords
IS/DPP for staff #5b - PasswordsTommy Vandepitte
 
IS/DPP for staff #5a - Access
IS/DPP for staff #5a - AccessIS/DPP for staff #5a - Access
IS/DPP for staff #5a - AccessTommy Vandepitte
 
IS/DPP for staff #3b - Data Classification
IS/DPP for staff #3b - Data ClassificationIS/DPP for staff #3b - Data Classification
IS/DPP for staff #3b - Data ClassificationTommy Vandepitte
 
IS/DPP for staff #3a - Data
IS/DPP for staff #3a - DataIS/DPP for staff #3a - Data
IS/DPP for staff #3a - DataTommy Vandepitte
 
IS/DPP for staff #2 - Why?
IS/DPP for staff #2 - Why?IS/DPP for staff #2 - Why?
IS/DPP for staff #2 - Why?Tommy Vandepitte
 
IS/DPP for staff #1 - intro
IS/DPP for staff #1 - introIS/DPP for staff #1 - intro
IS/DPP for staff #1 - introTommy Vandepitte
 

Plus de Tommy Vandepitte (20)

Gegevensbescherming-clausule in (overheids)opdracht
Gegevensbescherming-clausule in (overheids)opdrachtGegevensbescherming-clausule in (overheids)opdracht
Gegevensbescherming-clausule in (overheids)opdracht
 
20190131 - Presentation Q&A on legislation's influence (on travel management)
20190131 - Presentation Q&A on legislation's influence (on travel management)20190131 - Presentation Q&A on legislation's influence (on travel management)
20190131 - Presentation Q&A on legislation's influence (on travel management)
 
GDPR toegepast op huur-verhuur (Dutch)
GDPR toegepast op huur-verhuur (Dutch)GDPR toegepast op huur-verhuur (Dutch)
GDPR toegepast op huur-verhuur (Dutch)
 
Controller-to-processor agreements
Controller-to-processor agreementsController-to-processor agreements
Controller-to-processor agreements
 
Gegevensbescherming makelaars
Gegevensbescherming makelaarsGegevensbescherming makelaars
Gegevensbescherming makelaars
 
EEAS - Cultivate your data protection
EEAS - Cultivate your data protectionEEAS - Cultivate your data protection
EEAS - Cultivate your data protection
 
Presentation for the LSEC GDPR event - 20171130
Presentation for the LSEC GDPR event - 20171130Presentation for the LSEC GDPR event - 20171130
Presentation for the LSEC GDPR event - 20171130
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by design
 
GDPR voor steden en gemeenten (Dutch)
GDPR voor steden en gemeenten (Dutch)GDPR voor steden en gemeenten (Dutch)
GDPR voor steden en gemeenten (Dutch)
 
GDPR project board deck (example)
GDPR project board deck (example)GDPR project board deck (example)
GDPR project board deck (example)
 
IS/DPP for staff #8 - Monitoring
IS/DPP for staff #8 - MonitoringIS/DPP for staff #8 - Monitoring
IS/DPP for staff #8 - Monitoring
 
IS/DPP for staff #7 - Incidents
IS/DPP for staff #7 - IncidentsIS/DPP for staff #7 - Incidents
IS/DPP for staff #7 - Incidents
 
IS/DPP for staff #6 - Acceptable use
IS/DPP for staff #6 - Acceptable useIS/DPP for staff #6 - Acceptable use
IS/DPP for staff #6 - Acceptable use
 
IS/DPP for staff #5b - Passwords
IS/DPP for staff #5b - PasswordsIS/DPP for staff #5b - Passwords
IS/DPP for staff #5b - Passwords
 
IS/DPP for staff #5a - Access
IS/DPP for staff #5a - AccessIS/DPP for staff #5a - Access
IS/DPP for staff #5a - Access
 
IS/DPP for staff #3b - Data Classification
IS/DPP for staff #3b - Data ClassificationIS/DPP for staff #3b - Data Classification
IS/DPP for staff #3b - Data Classification
 
IS/DPP for staff #3a - Data
IS/DPP for staff #3a - DataIS/DPP for staff #3a - Data
IS/DPP for staff #3a - Data
 
IS/DPP for staff #2 - Why?
IS/DPP for staff #2 - Why?IS/DPP for staff #2 - Why?
IS/DPP for staff #2 - Why?
 
IS/DPP for staff #1 - intro
IS/DPP for staff #1 - introIS/DPP for staff #1 - intro
IS/DPP for staff #1 - intro
 
Training Procurement
Training ProcurementTraining Procurement
Training Procurement
 

Dernier

Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptxMan or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptxDhatriParmar
 
Narcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdfNarcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdfPrerana Jadhav
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...Nguyen Thanh Tu Collection
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQuiz Club NITW
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
Measures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataMeasures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataBabyAnnMotar
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDecoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDhatriParmar
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationdeepaannamalai16
 
Multi Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP ModuleMulti Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP ModuleCeline George
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
week 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8 fourth - quarter .pptxweek 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8 fourth - quarter .pptxJonalynLegaspi2
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWQuiz Club NITW
 
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...DhatriParmar
 
Scientific Writing :Research Discourse
Scientific Writing :Research DiscourseScientific Writing :Research Discourse
Scientific Writing :Research DiscourseAnita GoswamiGiri
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1GloryAnnCastre1
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 

Dernier (20)

Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptxMan or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
 
Narcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdfNarcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdf
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
 
Paradigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTAParadigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTA
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
Measures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataMeasures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped data
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDecoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
 
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of EngineeringFaculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentation
 
Multi Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP ModuleMulti Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP Module
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
week 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8 fourth - quarter .pptxweek 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8 fourth - quarter .pptx
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITW
 
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptxINCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
 
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
 
Scientific Writing :Research Discourse
Scientific Writing :Research DiscourseScientific Writing :Research Discourse
Scientific Writing :Research Discourse
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 

DPIA template

  • 1. Template for DPIA (EN) Page: 1 Data Protection Impact Assessment (DPIA) pursuantto Art. 35 GDPR, Recitals 84, 89, 90, 91, 92 Title of the project: Title Initial creation of DPIA: DD.MM.YYYY by Name Surname Last check: DD.MM.YYYY by Name Surname Next check due: DD.MM.YYYY The sections in gray, like this one, are meantto provide “in document” guidance on how to use this template.In general spaces where you are to insertinformation Contents 1. Project 2 2. Need for a data protection impact assessment 2 3. Description of the (planned) processing 3 3.1. Overview / summary / visual 3 3.2. Scope of the processing 4 3.3. Nature of the processing 4 3.4. Context of the processing 5 3.5. Purpose of the processing 5 4. Check of purpose of the processing v legal framework 5 4.1. (Business) purpose(s) for processing the personal data 5 4.2. Link of the purpose with the basis for legitimate processing 6 4.3. Check of the necessity and proportionality of the processing 7 5. Assessment of the (inherent) risks for the data subjects 8 6. Data protection by Design 9 6.1. General 9 6.2. Specific measures 9 7. Assessment of the (residual) risks for the data subjects 9 8. Involvement of the data protection authority 9 8. Concluding remarks 10
  • 2. Template for DPIA (EN) Page: 2 1. Project This chapter allows for a tie in with the project in which the data processing is looked at, either to be developed or to be changed.This is nota mandatorychapter in a DPIA,but helps to putthe DPIA in the larger business operations context of the organisation. Please, give the official references and a short description of the project, as the case may be – to avoid redundancy - by referring to relevant documents such as the project charter or a process description. 2. Need for a data protectionimpact assessment A data protection impactassessmentis considered necessarywhen a data processing operation is “likely to result in a high risk to the rights and freedoms of natural persons” (art. 35 §1 GDPR). This is assumed to be the case in case of (art. 35 §3 GDPR) ● a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions arebased that produce legal effects concerning the naturalperson or similarly significantly affect the natural person ● processing on a large scale of special categories of data referred to in Article 9(1) (e.g. racial or ethnic origin, health data, political opinions, religious beliefs, or trade union membership), or of personal data relating to criminal convictions and offences referred to in Article 10 GDPR ● a systematic monitoring of a publicly accessible area on a large scale This is elaborated by the data protection authorities to: ● Evaluation or scoring ● Automated decision-making with significant effects ● Systematic monitoring ● Processing of sensitive data or data of a highly personal nature ● Processing on a large scale ● Processing of data concerning vulnerable data subjects ● Innovative technological or organisational solutions ● Processing preventing data subjects from exercising a right or using a service or contract ● Data transfer across borders outside the European Union Detailed explanations can be found in the guidelines provided in WP248 of theArticle 29 Working Party which were endorsed by the EDPB. Note that the ”rights and freedoms of natural persons” that may be at risk are not only privacy (in the broad sense including self-development) and data protection, but also such rights and freedoms as the right to life, the right to bodily integrity and the right not to be discriminated against. There is a / no risk to the rights and freedoms of natural persons due to [Please, indicate what risks you have identified (with some brief explanation), e.g.] - Privacy of the individuals (data subjects), including reputational damage or the inability to access services or opportunities - Data protection of the individuals (data subjects), including loss of confidentiality - Identity theft - Inability to exercise one’s rights - Discrimination of the individuals (data subjects) - Retaliation against the individuals (data subjects) - Bodily harm to the individuals (data subjects) - Threat of life for the individuals (data subjects)
  • 3. Template for DPIA (EN) Page: 3 We think the risk to the rights and freedoms of natural persons is (not) high due to [Please, give reasons why DPIA is needed (or not), e.g.] ● Person data being transferred around the globe ● Processing of vulnerable data subjects, e.g. workers in a potentially dangerous situation ● Processing of sensitive data (e.g. racial or ethnical origin, health data, political opinions, religious beliefs, or trade union membership) ● Processing for which it is impossible or unlikely that the data subject will exercise their data subject rights (against the organisation) If the conclusion is that the risk to the rights and freedoms of natural persons is NOT high, such should be argued. In that case the data processing operation nevertheless needs to be notified to the data protection officer (or in its absence the legal office) to ensure that it is registered in the data processing register (art. 30 GDPR), which requires a description of the data processing anyway. If this DPIA is completed and provided to the data protection officer (or in its absence thelegal office), they will ensure that the data processing is inserted in the data processing register based on the information in this DPIA. 3. Description ofthe (planned)processing This section aims to address the requirement to insert “a systematic description of the envisaged processing operations and the purposes of the processing” in the DPIA (art. 35 §7 a GDPR). Remember that processing is broadly defined as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation,structuring, storage, adaptation or alteration, retrieval, consultation,use,disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (art. 4 (2) GDPR). The goal is to have a good view on the data processing.The (sub-)sections are merelythere in supportthereof. If the description works better and is still complete through another formator presentation,the (sub-) sections can be suppressed. 3.1. Overview / summary / visual This section allows to provide an overview of the processing end-to-end in a single summary description, ideally with a visual of the data flows. The idea is to give the reader of this DPIA a global idea of the data processing without having to read the details in the other (sub-)sections of this chapter 2. [Please, give an overview of the data processing, as the case may be supported by a visual depiction of the data flows.] 3.2. Scope of the processing This section allows to provide information on the scope of the processing, in other words what the processing covers. Such includes the categoryofthe personal data,the volume and varietyof the personal data,the sensitivity of the personal data,the extent and frequencyof the processing,the duration ofthe process ing,the number ofdata subjects involved, the geographical area covered,…
  • 4. Template for DPIA (EN) Page: 4 [Please, define the scope of data processing, e.g. with the following sections:] (a) Data subjects in scope a. types of data subjects in scope b. estimated volume of data subjects in scope (b) Personal data in scope a. categories of personal data in scope b. estimated volume of data (points) per data subject in scope (c) Temporal scope a. frequency of data updates b. (longest) data retention (d) Geographical scope (e) Personal scope (parties involved) a. Controller b. Processor 3.3. Nature of the processing This section allows to provide information on the nature of the processing,in other words what we plan to do with the personal data. Such includes:how we collectthe data, how we store the data, how we use the data, who has access to the data, who we share the data with, whether we use any processors, retention periods, security measures (so-called technical and organisational measures), whether we are using any new technologies (AI, blockchain,etc.), whether we are using any novel types of processing,which screening criteria have been flagged as likely high risk,… [Please, define the nature of data processing, e.g. with the following sections:] (a) Data collection a. Who collects? b. Where does the collection happen (geographically)? c. How is it collected? d. From who is it collected? (source: data subject, third party, data broker,…) (b) Data storage a. Who stores / is responsible for the storage? b. Where is it stored (geographically, “in the cloud”)? (c) Access to the data a. Who (parties or categories of recipients) will have direct access to the data? b. Who (parties or categories of recipients) will the data be shared with? (d) Data use (in the broadest sense) a. Who will do what with the data? (e) Security of the processing (f) Data destruction
  • 5. Template for DPIA (EN) Page: 5 3.4. Context of the processing This section allows to provide information on the context of the processing, in other words the wider picture, including internal and external factors which mightaffect expectations or impact.Such includes:the source of the data,the nature ofour relationshipwith the individuals (data subjects),the extentto which individuals (data subjects) have control over their data, the extent to which individuals (data subjects) are likely to expect the processing, whether they include children or other vulnerable people,any previous experience of this type of processing,any relevant advances in technology or security, any current issues of public concern, whether any data protection codes of conduct or certification schemes will be complied with (once any have been approved), whether relevant codes of practice have been considered and complied with, … Reference is made to the project description in chapter 1 of this document. [Please, define the further context of data processing, should such be relevant.] 3.5. Purpose of the processing The purpose of the processing is the reason why we want to process the personal data.Such includes:a legal obligation,a contractual obligation (ofours or third parties we technicallyor organisationallysupport),an interestof the organisationor its members,the intended outcome for individuals (data subjects),the expected benefits for the organisation or society as a whole,… Reference is made to chapter 4 of this document. 4. Check of purpose ofthe processing v legalframework This section aims to address the requirement to insert “(a systematic description of) (…) the purposes of the processing” and “an assessmentof the necessity and proportionality ofthe processing operations in relation to the purposes” in the DPIA (art. 35 §7 a and b GDPR). The purpose bound nature of processing is a basic principle of the data protection legislation (art. 5 §1 b GDPR): personal data mustonly“be collected for specified,explicitand legitimate purposes and notfurther processed in a manner that is incompatible with those purposes”. 4.1. (Business) purpose(s) for processing the personal data [Please, define the (business) purpose(s) of data processing e.g. new or change to existing service for the customers, digitalisation of an existing HR process for payroll administratie,… ] 4.2. Link of the purpose with the basis for legitimate processing Lawful processing is a basic principle of the data protection legislation (art. 5 §1 a GDPR). It is expressed for all data processing and with additional requirements / restrictions for processing of special categories of data and transfer of data outside of the EU. (1) General basis for legitimate processing This section focusses on the application ofone of the six general basis for legitimate processing mentioned in art. 6 §1 GDPR, mainly: (a) consentof the data subject(with special attention for the requirements for and weakness of such consent(art. 7 and 8 GDPR), (b) performance ofa contract to which the data subjectis party or in order to take steps at the requestof the data subjectprior to entering into a contract, (c) compliance with a legal obli gation
  • 6. Template for DPIA (EN) Page: 6 to which the controller is subject(careful aboutlegal obligations outside ofEU),and (d) legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. [Please, determine the (main) legal basis for the (different) processing (operations) of all personal data in scope by referring to one of the legal bases and explaining how it applies in this case, so] (a) In case of consent: demonstrate how consent is retrieved and can be proven (b) In case of a contract: reference to the (draft / template) contract (c) In case of a legal obligation: reference to the source of the legal obligation, as the case may be the joint reading of multiple provisions (d) In case of a legitimate interest: make the interest(s) explicit and prepare to explain in depth in section 4.3 how the individual rights of the data subjects are not overriding that (those) interest(s) (2) Basis for legitimate processing in case of special categories of data If and when special categories of data are processed, such requires an additional basis for legitimate processing (art. 9 and 10 GDPR). The categories of data referred to are in particular “data revealing racial or ethnic origin, political opinions,religious or philosophical beliefs,or trade union membership,and the processing ofgenetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”,and “data relating to criminal convictions and offences or related security measures”.For the latter categorywe should onlyprocess those ifthere is a legal basis for such processing. Note that beyond that specific legal provision mayspecificallyprotectother categories ofdata, such as cardholder data ( (e.g. PCI-DSS) or other financial data,national register numbers,social securitynumbers or other identifiers of general use by the government or other bodies, ... [Please, determine the (main) legal basis for the (different) processing (operations) of special categories of personal data in scope by referring to one of the legal bases and explaining how it applies in this case, so for example] (a) In case of a legal obligation: reference to the source of the legal obligation, as the case may be the joint reading of multiple provisions (b) In case of a explicit consent: reference to the (draft / template) contract (c) In case of establishment, exercise or defence of legal claims: the reference to the type of legal claims and the parties to the claim (claimant and defendant) (3) Basis for legitimate processing in case of transfer outside of EU This section focusses on the application ofthree main mechanisms to supportstructural transfers ofpersonal data outside of the EU, namely (a) the countries involved are considered to provide equivalent or adequate data protection (art. 45 GDPR + website EC), (b) standard contractual clauses (art. 46 §2 c and d io. 93 §2 GDPR + website EC),or (c) binding corporate rules (art.47 GDPR + website EDPB).Only for “one off” / occasionaltransfers can the derogations be looked at (art. 49 GDPR). Note that at leastsince the so-called Schrems IIdecision (C-311/18) the transfer ofpersonal data outside ofthe EU also requires an analysis of the legal system in the receiving countries to assess the data protection risk for the
  • 7. Template for DPIA (EN) Page: 7 data subjects and to develop measures (like encryption and contractual arrangement) thatkeep the data protecti on risk (for the data subjects) low. Only in case of an adequacy decision (art. 45 GDPR) such is not required. [Please, define the (business) purpose(s) of data processing e.g. new or change to existing service for the customers, digitalisation of an existing HR process for payroll administratie,… ] (4) Local law legitimacy requirement This section allows for insertion of local law that may apply, especially outside of the EU. [OR We are not aware of any local law that in addition needs to be applied to come to a legitimate processing of the information.] [OR The following local law was brought to our attention and has the following impact for the legitimate processing of the information: (…)] 4.3. Check of the necessity and proportionality of the processing (1) Necessity of the processing In each of the basis for legitimate processing there is a necessitywording,i.e. only the necessarydata processing can be legitimized. By consequence only the necessary processing can lawfully be performed. [Please, argue that and how all processing described is necessary in reaching the purposes defined.] (2) Data minimisation Data minimisation is a basic principleofthe data protection legislation (art.5 §1 c GDPR): personal data must(only) processed ifitis “adequate,relevantand limited to what is necessary in relation to the purposes for which they are processed”.In other words only the minimum amountofrelevant data should be processed and such assessment should in principle be applied at each stage of the end-to-end process. [Please, argue that and how only the minimum amount of relevant data is to be processed.] (3) Avoidance of “function creep” Function creep is the situation where data processed for one (bundle of) purposes is (later) reused for other purposes, mainly because “we have the data anyway”. [Please, argue that and how function creep is avoided.]
  • 8. Template for DPIA (EN) Page: 8 (4) Only need-to-know access A limitation ofthe access to the data to only those people and parties thathave a need-to-know is an application of the proportionality principle (art. 5 §1 f, 28, 29 and 32 GDPR). [Please, argue that and how the (relevant) data is only accessible by / shared with people with a need to know. Note that in principle the parties involved will be in more detail be mentioned in section 3.3.] (5) Time limitation (“storage limitation”) Storage limitation is a basic principleofthe data protection legislation (art.5 §1 e GDPR): personal data must(only) processed ifitis “keptin a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”. In other words: data should only be kept if there is a demonstrable (legal) obligation (e.g.in supportof accounting) or need to keep it (e.g. to demonstrate execution of an agreement),and no overriding (legal) obligation to destroy the data (e.g. a legal maximum retention period).If there is no longer a need to keep the data, it will be hard to argue longer retention. [Please, argue that and how the (relevant) data is kept for as long as needed. Note that in principle the retention period is mentioned in section 3.3.] 5. Assessment of the (inherent) risks for the data subjects A third mandatorypart of a DPIA is “an assessmentof the risk to the rights and freedoms of data subjects” (art. 35 §7 c GDPR). Reference is made to section 2 for the (preliminary assessment of the inherent risks for the data subjects). [The reference above can suffice in some cases. This here is just an opportunity, but no need, to elaborate more extensively on the risks you have identified in section 2. You may do that by going through some “worst case” scenarios which impact the data subjects and for each of them determining the (worst) possible impact of the data subject and the probability for such an impact to realise itself, thus resulting in a risk score. Scenarios to consider are: breach of confidentiality (e.g. the data is published on a wikileaks like website, in possession of a bad actor, or shared with a foreign government), breach of integrity (the data is knowingly or unbeknownst to us changed or corrupted), breach of availability (the data is lost or encrypted through ransomware), ] 6. Data protection by Design An importantpart of the principle ofaccountability(art. 5 §2 GDPR) is the duty for the controller (art. 25 §1 GDPR) to “implementappropriate technicaland organisationalmeasures” “which are designedto implementdata protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meetthe requirements of (the GDPR) and protect the rights of data subjects”, under the following conditions: - “taking into accountthe state of the art, the cost of implementationand the nature,scope,context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing” - “both at the time of the determination of the means for processing and at the time of the processing itself”
  • 9. Template for DPIA (EN) Page: 9 This obligation includes the obligation for security by design, i.e. “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk ” (art. 32 GDPR). 6.1. General [Please, argue in general that and how the (personal) data processing is set up with data protection in mind.] 6.2. Specific measures The specific measures taken can be categorised in a number of ways. Frameworks for information security, such as ISO27000 series and NIST800-53 can also provide interesting inspiration. Article 32 §1 GDPR itself refers to “(a) the pseudonymisation and encryption of personal data, (b) the ability to ensure the ongoing confidentiality,integrity,availability and resilience of processing systems and services, (c) the ability to restore the availability and access to personal data in a timely manner in the eventofa physical or technical incident, (d) a process for regularly testing, assessing and evaluating the effectiveness o f technical and organisational measures for ensuring the security of the processing”. [Please, insert information on the specific measures (to be) taken, e.g.] - Deciding not to collect certain types of data. - Reducing the scope of the processing. - Anonymising or pseudonymising data where and as soon as possible. - Reducing retention periods. - Using a different technology. - Taking additional technological security measures. - Writing internal guidance or processes to avoid risks. - Instructing and training (relevant) staff to ensure risks are anticipated and managed. - Putting clear data sharing agreements into place, especially with processors (art. 28 GDPR) or joint controllers (art. 26 GDPR). - Ensure audit assurance on the data protecessing, especially when performed by third parties (processors or joint controllers). - Making changes to privacy statement to increase transparency for the data subject (art. 12-14 GDPR). - Offering individuals the chance to opt out, where appropriate. - Implementing new systems to help individuals to exercise their rights (art. 12- 23 GDPR). - Adding a human element to review automated decisions (art. 22 GDPR), if any. 7. Assessment of the (residual) risks for the data subjects A third mandatorypart of a DPIA is “an assessmentof the risk to the rights and freedoms of data subjects” (art. 35 §7 c GDPR). The inherentrisks,so in principle PRIOR to the measures described in chapter 6, should be setout in chapters 2 and/or 5. This chapter looks at the risk AFTER the (implementation of) the measures described in chapter 6, to determine what the level of the residual risk is for the data subjects.
  • 10. Template for DPIA (EN) Page: 10 [EITHER] After the measures described (see chapter 6), we assess the (residuals) risks for the data subjects to be mitigated to a reasonable, low level of risks. We still identify the following risks and aim to control them as indicated above: [Please, indicate what risks you still identify and the level you assess them at (with some brief explanation), e.g.] - Privacy of the individuals (data subjects) - Data protection of the individuals (data subjects) - Discrimination of the individuals (data subjects) - Retaliation against the individuals (data subjects) - Bodily harm to the individuals (data subjects) - Threat of life for the individuals (data subjects) [OR] After the measures described (see chapter 6), we assess the (residuals) risks for the data subjects to be mitigated, but still to be at a high level. Reference is made to chapter 8 below. 8. Involvementof the data protection authority If and when the DPIA leads to the resultthat even after the mitigating measures the risks for the data subjects are still high, the organisation must consult with the Data Protection Authority (in Belgium the Gegevensbeschermingsautoriteit or Autorité de Protection des Données) (art.36 §3 GDPR). Any such consultation will be performed via the data protection officer (or in the absence thereofthe legal office) of the organisation,or as the case may be, supported by an (external) legal counsel. [DEFAULT] No data protection authority was involved, as such was not necessary. [WHEN CONSULTED] The Belgian data protection authority was consulted via a case file (art. 36 §6 GDPR) provided to it on (date). The result of the consultation was as follows: (insert result). 9. Concluding remarks [Please, state in short what conclusion you took from the final DPIA.] [e.g. the open actions are integrated in the action log for the project.]