Source folder: Data Protection - GDPR
Source file: 20180510 DPO Course - Session 3.pdf
File type: PDF document
COMPLIANCE
Breakdown of Today's Session
✓ Legal requirements of a DPIA;
✓ How to conduct a DPIA;
✓ Policies and Procedures; and
✓ Auditing
2
The GDPR - a risk based Regulation
3
Data Protection Impact Assessment ("DPIA")
_ A DPIA is only required when the processing is "likely to result in a high
risk to the rights and freedoms of natural persons"
_ Note the "in particular using new tech" in art 35(1)
5
6
A Balancing Act
Rights and
Freedoms
of Data
Subjects
Processing
Activities
7
What should a DPIA address?
Either: a single processing operation
Or: A set of similar processing operations
8
DPIA - Single Processing
Data set 1
Data set 1
DPIA
Data set 1 Data set 1
Data set 1 Data set 1
9
DPIA - Multiple Processing
Data set 2
Data set 1
DPIA
Data set 3 Data set 4
Data set 5 Data set 6
10
When is a DPIA mandatory?
11
12
13
14
Automated-
EEvvaalluuaatitoino onr or decision making Systematic
scoring, profiling
scoring with legal Monitoring
and predicting
significant effect
Data Processed on
Sensitive Data Matching datasets
a large scale
Processing prevent
Data concerning Innovative
data subjects from
vulnerable data organisational
exercising their
subjects solutions
rights
16
17
18
What should the DPIA include?
Purpose of Processing
Technical and
organisational security
measures
Description of categories
of the data
High risk?
Description of the
recipients
19
When is a DPIA not required?
Authorised prior to May 2018
Not likely to result in a
Similar DPIA Exists
high risk
Has a legal basis
List of processing operations for
which a DPIA is not required
20
When should a DPIA be undertaken?
21
22
Re - Cap
✓ A DPIA is a process designed to describe the processing, assess its
necessity and proportionality and help manage the risks to the rights
and freedoms of natural persons resulting from the processing of
personal data by assessing them and determining the measures to
address them.
✓ The assessment must be carried out when the processing results in a
high risk to the data subject's fundamental rights and freedoms
✓ The assessment should be carried out before the processing
operation takes place and must be continually updated
23
Who is obliged to carry out a DPIA?
Data
Controller Data Processor
24
Article 5 of the GDPR
"The controller shall be responsible for,
and be able to demonstrate compliance
with, paragraph 1 ('accountability')."
25
Data Controller
Data Controller
An entity which, alone or
together with at least another
entity, determines the purposes
Personal Data
and means of the processing of
personal data
Data Subject
26
Data Protection Officer Data Controller
27
Description of the
envisaged
processing
Assessment of the
Monitoring and
necessity and
review
proportionality
Measures already
Documentation
envisaged
Measures Assessment of the
envisaged to risks to the rights
address the risks and freedoms
28
What form should the DPIA take?
30
What are the sanctions?
31
Policies and Procedures
GDPR Recital 78
"In order to be able to demonstrate compliance with
this Regulation, the controller should adopt internal
policies and implement measures which meet in
particular the principles of data protection by design
and data protection by default."
33
Policies
Data Subject Access Request Form
Clean Desk Policy
IT Security Policy
Website Use Policy
Cookies Policy
Data Retention Policy
34
Procedures
Data Subject Data Data Subject
Access Request Portability Data Breach Consent
Withdrawal
35
36
Auditing
Auditing - why is it necessary?
Before you can do anything you must establish:
The Accountability Principle
39
Appropriate technical and organisational
measures are a must!
40
adopting and
implementing taking a 'data protection by
data protection design and default' approach
policies
maintaining
putting written contracts in
documentation
place with organisations that
of your
process personal data on your
processing
behalf
activities
implementing
recording and, where necessary,
appropriate
reporting personal data
security
breaches
measures
recording and,
where
appointing a
necessary,
data protection
reporting
officer
personal data
breaches
41
DP Auditing
✓ Gap Analysis
✓ Risk Analysis
✓ Legal Analysis
✓ Project Steering / Budget Planning
✓ Setting Up a data protection structure and management
✓ Monitoring the status of implementation
✓ Review Insurance Arrangements
✓ Assess Liability Exposure
42
43
44
Data Inventories
45
46
47
48
Thank you
Technical Excellence, Practical Solutions
Terence Cassar
Email: terence.cassar@camilleripreziosi.com
Telephone: (356) 21238989