This document summarizes best practices for completing data protection impact assessments (DPIAs) in compliance with GDPR. It discusses what a DPIA is, when they are required, and outlines a process for conducting them that includes preparing by understanding business risks, completing a data inventory, identifying any high-risk processing activities, demonstrating due diligence over current efforts, and how TrustArc software can help automate and manage the DPIA process. The webinar agenda also includes discussing getting started, knowing your data, whether high-risk activities are present, demonstrating due diligence, and answering questions.
2. 2
Speakers
Paul Iagnocco
Customer Enablement Lead and
Senior Privacy Consultant
TrustArc
Berta Balanzategui
European Senior Privacy &
Data Protection Counsel,
General Electric Company
Joanne Furtsch
Privacy Intelligence
Development Director
TrustArc
3. 3
Legal Disclaimer
The information provided during this webinar does not,
and is not intended to, constitute legal advice.
Instead, all information, content, and materials presented
during this webinar are for general informational purposes only.
4. 4
What, Why, When…
Getting Started…
Know Your Data…
Agenda
High-Risk Processing Activities Present?
Demonstrate Your Due Diligence…
How TrustArc Can Help?
Questions & Answers
6. 6
Understanding Data Protection Impact Assessments
What…
is a DPIA?
A type of PIA
with a focus
on data protections.
Designed to assess risk
associated with
processing activities
posing a high risk
to individuals.
Why…
a DPIA?
Identify controls needed
to address
and reduce risk.
Ensure appropriate
data protections
are in place to
comply with GDPR.
When…
to use a DPIA?
Processing activities
present high- risk
to individuals.
Complete prior to
engaging in high risk
processing activities.
10. 10
Preparation
• Meet with business risk officer to understand “risk
“appetite” and “risk tolerance.”
• Need to understand risk in the business culture,
strategy and corporate governance.
Risk Posture
• Start with internal functions that collect and
process S/PII
• Need to identify those business functions that
have been processing S/PII; Need specifics
Identify
internal/external
S/PII processing
• Determine if this is done using software or
spreadsheets
• Once identified, communicate the process to key
stakeholders
Format & Process
12. 12
Complete Data Inventory
• Identify data flows, systems, and vendors
• Includes necessary information for completing
a DPIA
Business Processing
Activities & SMEs
• Information about the processing, data elements
involved and level of sensitivity
• Systems and 3rd parties involved
Record
• The origins and transfers of information
• The inherent risk of the processing activity
Analyze
15. 15
Conducting a DPIA
• Develop and document DPIA methodology and
process
• Identify tools necessary for completing DPIAs
Build DPIA
Assessment
• Identify and engage stakeholders needed to
complete DPIAs
• Create awareness and communicate process
Complete DPIA
• Determine type of assessment needed
• Manage and report on remediation activities and
outcomes
Assess &
Remediate
17. 17
Be Prepared to Demonstrate
• Need to determine who owns these
• Data Inventory: Need to complete GDPR Article 30 -
ROPAs
• DPIAs: Need to complete GDPR Article 35
Reporting:
data inventory & DPIAs
• Need to determine who owns these
• Need to draft & implement workflows: data
inventory, risk evaluation and DPIA
• Need to align on revalidations: frequency, updates
Current Efforts:
workflows &
revalidations
• Need to determine who owns this
• Store reports in a centralized location (sharedrive)
• Limit access to specific job functions
Centralized Privacy
Impact Depository
19. 19
Data Inventory Development
Data Inventory Hub
Build a data
inventory and
record of
processing
utilizing
advanced
collaboration
features.
Perform data mapping, export pre-built
reports such as Article 30 or Business
Process reports.
20. 20
Data Inventory Development (continued)
Data Inventory Hub
For areas of your data record
where you need human input,
send out configurable forms
via email.
21. 21
Data Inventory Development (continued 2)
Risk Profile
Automatically score and evaluate
privacy risk metrics on existing
records including Systems,
Vendors, Company Affiliates,
and Internal Processes.
22. 22
Data Inventory Development (continued 3)
Risk Profile
Generate automated follow
up actions for each record.
Know when your need to
conduct a DPIA/PIA or
Vendor Assessment.
Download and export
automated company
and vendor risk reports.
23. 23
DPIA Management
Assessment Manager
End-to-End assessment management solution. Launch PIAs, Vendor Assessments, and more.
Automate reviewal, risk scoring, revalidation, notifications, action plan, and follow up tasks.
24. 24
DPIA Management (continued)
Assessment Manager
Pre-Built Templates crafted by privacy
experts and thought leaders, completely
configurable in TrustArc’s Template
Editor. Upload any assessment and begin
automation today.
25. 25
DPIA Management (continued 2)
Assessment Manager
Based on the responses to the questions…
• Conditional Questions: Reveal new questions
• Auto-Assessment: Assign a separate assessment
• Early Exit: Auto-Approve and end the assessment
• Approval Routing: Assign a specific approver
• Assign Tasks: Auto assign tasks
• Auto Emails: Auto assign emails
• Risk Scoring: Auto assign risk per question
Save time with no human effort required!
Most advanced assessment automation features on the market. Fully implement an
assessment process that will automate the existing manual reviewal, risk calculation, and task
delegation process.
26. 26
26
Thank You!
See http://www.trustarc.com/insightseries for the 2023
Privacy Insight Series and past webinar recordings.
If you would like to learn more about how TrustArc can support you with privacy and
data security compliance, please reach out to sales@trustarc.com for a free demo.