Successfully reported this slideshow.
Your SlideShare is downloading. ×

DPIA template

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Template for DPIA (EN)
Page: 1
Data Protection Impact Assessment (DPIA)
pursuantto Art. 35 GDPR, Recitals 84, 89, 90, 91, ...
Template for DPIA (EN)
Page: 2
1. Project
This chapter allows for a tie in with the project in which the data processing i...
Template for DPIA (EN)
Page: 3
We think the risk to the rights and freedoms of natural persons is (not) high due to
[Pleas...
Advertisement
Advertisement
Loading in …3
×

Check these out next

1 of 10 Ad
Advertisement

More Related Content

Slideshows for you (17)

Similar to DPIA template (20)

Advertisement

More from Tommy Vandepitte (20)

Recently uploaded (20)

Advertisement

DPIA template

  1. 1. Template for DPIA (EN) Page: 1 Data Protection Impact Assessment (DPIA) pursuantto Art. 35 GDPR, Recitals 84, 89, 90, 91, 92 Title of the project: Title Initial creation of DPIA: DD.MM.YYYY by Name Surname Last check: DD.MM.YYYY by Name Surname Next check due: DD.MM.YYYY The sections in gray, like this one, are meantto provide “in document” guidance on how to use this template.In general spaces where you are to insertinformation Contents 1. Project 2 2. Need for a data protection impact assessment 2 3. Description of the (planned) processing 3 3.1. Overview / summary / visual 3 3.2. Scope of the processing 4 3.3. Nature of the processing 4 3.4. Context of the processing 5 3.5. Purpose of the processing 5 4. Check of purpose of the processing v legal framework 5 4.1. (Business) purpose(s) for processing the personal data 5 4.2. Link of the purpose with the basis for legitimate processing 6 4.3. Check of the necessity and proportionality of the processing 7 5. Assessment of the (inherent) risks for the data subjects 8 6. Data protection by Design 9 6.1. General 9 6.2. Specific measures 9 7. Assessment of the (residual) risks for the data subjects 9 8. Involvement of the data protection authority 9 8. Concluding remarks 10
  2. 2. Template for DPIA (EN) Page: 2 1. Project This chapter allows for a tie in with the project in which the data processing is looked at, either to be developed or to be changed.This is nota mandatorychapter in a DPIA,but helps to putthe DPIA in the larger business operations context of the organisation. Please, give the official references and a short description of the project, as the case may be – to avoid redundancy - by referring to relevant documents such as the project charter or a process description. 2. Need for a data protectionimpact assessment A data protection impactassessmentis considered necessarywhen a data processing operation is “likely to result in a high risk to the rights and freedoms of natural persons” (art. 35 §1 GDPR). This is assumed to be the case in case of (art. 35 §3 GDPR) ● a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions arebased that produce legal effects concerning the naturalperson or similarly significantly affect the natural person ● processing on a large scale of special categories of data referred to in Article 9(1) (e.g. racial or ethnic origin, health data, political opinions, religious beliefs, or trade union membership), or of personal data relating to criminal convictions and offences referred to in Article 10 GDPR ● a systematic monitoring of a publicly accessible area on a large scale This is elaborated by the data protection authorities to: ● Evaluation or scoring ● Automated decision-making with significant effects ● Systematic monitoring ● Processing of sensitive data or data of a highly personal nature ● Processing on a large scale ● Processing of data concerning vulnerable data subjects ● Innovative technological or organisational solutions ● Processing preventing data subjects from exercising a right or using a service or contract ● Data transfer across borders outside the European Union Detailed explanations can be found in the guidelines provided in WP248 of theArticle 29 Working Party which were endorsed by the EDPB. Note that the ”rights and freedoms of natural persons” that may be at risk are not only privacy (in the broad sense including self-development) and data protection, but also such rights and freedoms as the right to life, the right to bodily integrity and the right not to be discriminated against. There is a / no risk to the rights and freedoms of natural persons due to [Please, indicate what risks you have identified (with some brief explanation), e.g.] - Privacy of the individuals (data subjects), including reputational damage or the inability to access services or opportunities - Data protection of the individuals (data subjects), including loss of confidentiality - Identity theft - Inability to exercise one’s rights - Discrimination of the individuals (data subjects) - Retaliation against the individuals (data subjects) - Bodily harm to the individuals (data subjects) - Threat of life for the individuals (data subjects)
  3. 3. Template for DPIA (EN) Page: 3 We think the risk to the rights and freedoms of natural persons is (not) high due to [Please, give reasons why DPIA is needed (or not), e.g.] ● Person data being transferred around the globe ● Processing of vulnerable data subjects, e.g. workers in a potentially dangerous situation ● Processing of sensitive data (e.g. racial or ethnical origin, health data, political opinions, religious beliefs, or trade union membership) ● Processing for which it is impossible or unlikely that the data subject will exercise their data subject rights (against the organisation) If the conclusion is that the risk to the rights and freedoms of natural persons is NOT high, such should be argued. In that case the data processing operation nevertheless needs to be notified to the data protection officer (or in its absence the legal office) to ensure that it is registered in the data processing register (art. 30 GDPR), which requires a description of the data processing anyway. If this DPIA is completed and provided to the data protection officer (or in its absence thelegal office), they will ensure that the data processing is inserted in the data processing register based on the information in this DPIA. 3. Description ofthe (planned)processing This section aims to address the requirement to insert “a systematic description of the envisaged processing operations and the purposes of the processing” in the DPIA (art. 35 §7 a GDPR). Remember that processing is broadly defined as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation,structuring, storage, adaptation or alteration, retrieval, consultation,use,disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (art. 4 (2) GDPR). The goal is to have a good view on the data processing.The (sub-)sections are merelythere in supportthereof. If the description works better and is still complete through another formator presentation,the (sub-) sections can be suppressed. 3.1. Overview / summary / visual This section allows to provide an overview of the processing end-to-end in a single summary description, ideally with a visual of the data flows. The idea is to give the reader of this DPIA a global idea of the data processing without having to read the details in the other (sub-)sections of this chapter 2. [Please, give an overview of the data processing, as the case may be supported by a visual depiction of the data flows.] 3.2. Scope of the processing This section allows to provide information on the scope of the processing, in other words what the processing covers. Such includes the categoryofthe personal data,the volume and varietyof the personal data,the sensitivity of the personal data,the extent and frequencyof the processing,the duration ofthe process ing,the number ofdata subjects involved, the geographical area covered,…
  4. 4. Template for DPIA (EN) Page: 4 [Please, define the scope of data processing, e.g. with the following sections:] (a) Data subjects in scope a. types of data subjects in scope b. estimated volume of data subjects in scope (b) Personal data in scope a. categories of personal data in scope b. estimated volume of data (points) per data subject in scope (c) Temporal scope a. frequency of data updates b. (longest) data retention (d) Geographical scope (e) Personal scope (parties involved) a. Controller b. Processor 3.3. Nature of the processing This section allows to provide information on the nature of the processing,in other words what we plan to do with the personal data. Such includes:how we collectthe data, how we store the data, how we use the data, who has access to the data, who we share the data with, whether we use any processors, retention periods, security measures (so-called technical and organisational measures), whether we are using any new technologies (AI, blockchain,etc.), whether we are using any novel types of processing,which screening criteria have been flagged as likely high risk,… [Please, define the nature of data processing, e.g. with the following sections:] (a) Data collection a. Who collects? b. Where does the collection happen (geographically)? c. How is it collected? d. From who is it collected? (source: data subject, third party, data broker,…) (b) Data storage a. Who stores / is responsible for the storage? b. Where is it stored (geographically, “in the cloud”)? (c) Access to the data a. Who (parties or categories of recipients) will have direct access to the data? b. Who (parties or categories of recipients) will the data be shared with? (d) Data use (in the broadest sense) a. Who will do what with the data? (e) Security of the processing (f) Data destruction
  5. 5. Template for DPIA (EN) Page: 5 3.4. Context of the processing This section allows to provide information on the context of the processing, in other words the wider picture, including internal and external factors which mightaffect expectations or impact.Such includes:the source of the data,the nature ofour relationshipwith the individuals (data subjects),the extentto which individuals (data subjects) have control over their data, the extent to which individuals (data subjects) are likely to expect the processing, whether they include children or other vulnerable people,any previous experience of this type of processing,any relevant advances in technology or security, any current issues of public concern, whether any data protection codes of conduct or certification schemes will be complied with (once any have been approved), whether relevant codes of practice have been considered and complied with, … Reference is made to the project description in chapter 1 of this document. [Please, define the further context of data processing, should such be relevant.] 3.5. Purpose of the processing The purpose of the processing is the reason why we want to process the personal data.Such includes:a legal obligation,a contractual obligation (ofours or third parties we technicallyor organisationallysupport),an interestof the organisationor its members,the intended outcome for individuals (data subjects),the expected benefits for the organisation or society as a whole,… Reference is made to chapter 4 of this document. 4. Check of purpose ofthe processing v legalframework This section aims to address the requirement to insert “(a systematic description of) (…) the purposes of the processing” and “an assessmentof the necessity and proportionality ofthe processing operations in relation to the purposes” in the DPIA (art. 35 §7 a and b GDPR). The purpose bound nature of processing is a basic principle of the data protection legislation (art. 5 §1 b GDPR): personal data mustonly“be collected for specified,explicitand legitimate purposes and notfurther processed in a manner that is incompatible with those purposes”. 4.1. (Business) purpose(s) for processing the personal data [Please, define the (business) purpose(s) of data processing e.g. new or change to existing service for the customers, digitalisation of an existing HR process for payroll administratie,… ] 4.2. Link of the purpose with the basis for legitimate processing Lawful processing is a basic principle of the data protection legislation (art. 5 §1 a GDPR). It is expressed for all data processing and with additional requirements / restrictions for processing of special categories of data and transfer of data outside of the EU. (1) General basis for legitimate processing This section focusses on the application ofone of the six general basis for legitimate processing mentioned in art. 6 §1 GDPR, mainly: (a) consentof the data subject(with special attention for the requirements for and weakness of such consent(art. 7 and 8 GDPR), (b) performance ofa contract to which the data subjectis party or in order to take steps at the requestof the data subjectprior to entering into a contract, (c) compliance with a legal obli gation
  6. 6. Template for DPIA (EN) Page: 6 to which the controller is subject(careful aboutlegal obligations outside ofEU),and (d) legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. [Please, determine the (main) legal basis for the (different) processing (operations) of all personal data in scope by referring to one of the legal bases and explaining how it applies in this case, so] (a) In case of consent: demonstrate how consent is retrieved and can be proven (b) In case of a contract: reference to the (draft / template) contract (c) In case of a legal obligation: reference to the source of the legal obligation, as the case may be the joint reading of multiple provisions (d) In case of a legitimate interest: make the interest(s) explicit and prepare to explain in depth in section 4.3 how the individual rights of the data subjects are not overriding that (those) interest(s) (2) Basis for legitimate processing in case of special categories of data If and when special categories of data are processed, such requires an additional basis for legitimate processing (art. 9 and 10 GDPR). The categories of data referred to are in particular “data revealing racial or ethnic origin, political opinions,religious or philosophical beliefs,or trade union membership,and the processing ofgenetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”,and “data relating to criminal convictions and offences or related security measures”.For the latter categorywe should onlyprocess those ifthere is a legal basis for such processing. Note that beyond that specific legal provision mayspecificallyprotectother categories ofdata, such as cardholder data ( (e.g. PCI-DSS) or other financial data,national register numbers,social securitynumbers or other identifiers of general use by the government or other bodies, ... [Please, determine the (main) legal basis for the (different) processing (operations) of special categories of personal data in scope by referring to one of the legal bases and explaining how it applies in this case, so for example] (a) In case of a legal obligation: reference to the source of the legal obligation, as the case may be the joint reading of multiple provisions (b) In case of a explicit consent: reference to the (draft / template) contract (c) In case of establishment, exercise or defence of legal claims: the reference to the type of legal claims and the parties to the claim (claimant and defendant) (3) Basis for legitimate processing in case of transfer outside of EU This section focusses on the application ofthree main mechanisms to supportstructural transfers ofpersonal data outside of the EU, namely (a) the countries involved are considered to provide equivalent or adequate data protection (art. 45 GDPR + website EC), (b) standard contractual clauses (art. 46 §2 c and d io. 93 §2 GDPR + website EC),or (c) binding corporate rules (art.47 GDPR + website EDPB).Only for “one off” / occasionaltransfers can the derogations be looked at (art. 49 GDPR). Note that at leastsince the so-called Schrems IIdecision (C-311/18) the transfer ofpersonal data outside ofthe EU also requires an analysis of the legal system in the receiving countries to assess the data protection risk for the
  7. 7. Template for DPIA (EN) Page: 7 data subjects and to develop measures (like encryption and contractual arrangement) thatkeep the data protecti on risk (for the data subjects) low. Only in case of an adequacy decision (art. 45 GDPR) such is not required. [Please, define the (business) purpose(s) of data processing e.g. new or change to existing service for the customers, digitalisation of an existing HR process for payroll administratie,… ] (4) Local law legitimacy requirement This section allows for insertion of local law that may apply, especially outside of the EU. [OR We are not aware of any local law that in addition needs to be applied to come to a legitimate processing of the information.] [OR The following local law was brought to our attention and has the following impact for the legitimate processing of the information: (…)] 4.3. Check of the necessity and proportionality of the processing (1) Necessity of the processing In each of the basis for legitimate processing there is a necessitywording,i.e. only the necessarydata processing can be legitimized. By consequence only the necessary processing can lawfully be performed. [Please, argue that and how all processing described is necessary in reaching the purposes defined.] (2) Data minimisation Data minimisation is a basic principleofthe data protection legislation (art.5 §1 c GDPR): personal data must(only) processed ifitis “adequate,relevantand limited to what is necessary in relation to the purposes for which they are processed”.In other words only the minimum amountofrelevant data should be processed and such assessment should in principle be applied at each stage of the end-to-end process. [Please, argue that and how only the minimum amount of relevant data is to be processed.] (3) Avoidance of “function creep” Function creep is the situation where data processed for one (bundle of) purposes is (later) reused for other purposes, mainly because “we have the data anyway”. [Please, argue that and how function creep is avoided.]
  8. 8. Template for DPIA (EN) Page: 8 (4) Only need-to-know access A limitation ofthe access to the data to only those people and parties thathave a need-to-know is an application of the proportionality principle (art. 5 §1 f, 28, 29 and 32 GDPR). [Please, argue that and how the (relevant) data is only accessible by / shared with people with a need to know. Note that in principle the parties involved will be in more detail be mentioned in section 3.3.] (5) Time limitation (“storage limitation”) Storage limitation is a basic principleofthe data protection legislation (art.5 §1 e GDPR): personal data must(only) processed ifitis “keptin a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”. In other words: data should only be kept if there is a demonstrable (legal) obligation (e.g.in supportof accounting) or need to keep it (e.g. to demonstrate execution of an agreement),and no overriding (legal) obligation to destroy the data (e.g. a legal maximum retention period).If there is no longer a need to keep the data, it will be hard to argue longer retention. [Please, argue that and how the (relevant) data is kept for as long as needed. Note that in principle the retention period is mentioned in section 3.3.] 5. Assessment of the (inherent) risks for the data subjects A third mandatorypart of a DPIA is “an assessmentof the risk to the rights and freedoms of data subjects” (art. 35 §7 c GDPR). Reference is made to section 2 for the (preliminary assessment of the inherent risks for the data subjects). [The reference above can suffice in some cases. This here is just an opportunity, but no need, to elaborate more extensively on the risks you have identified in section 2. You may do that by going through some “worst case” scenarios which impact the data subjects and for each of them determining the (worst) possible impact of the data subject and the probability for such an impact to realise itself, thus resulting in a risk score. Scenarios to consider are: breach of confidentiality (e.g. the data is published on a wikileaks like website, in possession of a bad actor, or shared with a foreign government), breach of integrity (the data is knowingly or unbeknownst to us changed or corrupted), breach of availability (the data is lost or encrypted through ransomware), ] 6. Data protection by Design An importantpart of the principle ofaccountability(art. 5 §2 GDPR) is the duty for the controller (art. 25 §1 GDPR) to “implementappropriate technicaland organisationalmeasures” “which are designedto implementdata protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meetthe requirements of (the GDPR) and protect the rights of data subjects”, under the following conditions: - “taking into accountthe state of the art, the cost of implementationand the nature,scope,context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing” - “both at the time of the determination of the means for processing and at the time of the processing itself”
  9. 9. Template for DPIA (EN) Page: 9 This obligation includes the obligation for security by design, i.e. “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk ” (art. 32 GDPR). 6.1. General [Please, argue in general that and how the (personal) data processing is set up with data protection in mind.] 6.2. Specific measures The specific measures taken can be categorised in a number of ways. Frameworks for information security, such as ISO27000 series and NIST800-53 can also provide interesting inspiration. Article 32 §1 GDPR itself refers to “(a) the pseudonymisation and encryption of personal data, (b) the ability to ensure the ongoing confidentiality,integrity,availability and resilience of processing systems and services, (c) the ability to restore the availability and access to personal data in a timely manner in the eventofa physical or technical incident, (d) a process for regularly testing, assessing and evaluating the effectiveness o f technical and organisational measures for ensuring the security of the processing”. [Please, insert information on the specific measures (to be) taken, e.g.] - Deciding not to collect certain types of data. - Reducing the scope of the processing. - Anonymising or pseudonymising data where and as soon as possible. - Reducing retention periods. - Using a different technology. - Taking additional technological security measures. - Writing internal guidance or processes to avoid risks. - Instructing and training (relevant) staff to ensure risks are anticipated and managed. - Putting clear data sharing agreements into place, especially with processors (art. 28 GDPR) or joint controllers (art. 26 GDPR). - Ensure audit assurance on the data protecessing, especially when performed by third parties (processors or joint controllers). - Making changes to privacy statement to increase transparency for the data subject (art. 12-14 GDPR). - Offering individuals the chance to opt out, where appropriate. - Implementing new systems to help individuals to exercise their rights (art. 12- 23 GDPR). - Adding a human element to review automated decisions (art. 22 GDPR), if any. 7. Assessment of the (residual) risks for the data subjects A third mandatorypart of a DPIA is “an assessmentof the risk to the rights and freedoms of data subjects” (art. 35 §7 c GDPR). The inherentrisks,so in principle PRIOR to the measures described in chapter 6, should be setout in chapters 2 and/or 5. This chapter looks at the risk AFTER the (implementation of) the measures described in chapter 6, to determine what the level of the residual risk is for the data subjects.
  10. 10. Template for DPIA (EN) Page: 10 [EITHER] After the measures described (see chapter 6), we assess the (residuals) risks for the data subjects to be mitigated to a reasonable, low level of risks. We still identify the following risks and aim to control them as indicated above: [Please, indicate what risks you still identify and the level you assess them at (with some brief explanation), e.g.] - Privacy of the individuals (data subjects) - Data protection of the individuals (data subjects) - Discrimination of the individuals (data subjects) - Retaliation against the individuals (data subjects) - Bodily harm to the individuals (data subjects) - Threat of life for the individuals (data subjects) [OR] After the measures described (see chapter 6), we assess the (residuals) risks for the data subjects to be mitigated, but still to be at a high level. Reference is made to chapter 8 below. 8. Involvementof the data protection authority If and when the DPIA leads to the resultthat even after the mitigating measures the risks for the data subjects are still high, the organisation must consult with the Data Protection Authority (in Belgium the Gegevensbeschermingsautoriteit or Autorité de Protection des Données) (art.36 §3 GDPR). Any such consultation will be performed via the data protection officer (or in the absence thereofthe legal office) of the organisation,or as the case may be, supported by an (external) legal counsel. [DEFAULT] No data protection authority was involved, as such was not necessary. [WHEN CONSULTED] The Belgian data protection authority was consulted via a case file (art. 36 §6 GDPR) provided to it on (date). The result of the consultation was as follows: (insert result). 9. Concluding remarks [Please, state in short what conclusion you took from the final DPIA.] [e.g. the open actions are integrated in the action log for the project.]

×