DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx

Data Protection – Data Protection Impact Assessment (DPIA) - Template Page 1
AFRICAN BANKING CORPORATION
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE
INSTRUCTIONS:
Fill out this template prior to the commencement of any processing activity of personal data, or if you are making a significant change to the existing process
Integrate the final outcomes back into your project plan.
PART 1: Description of the processing activity
Project Name: CLIC
Project Outline: What and why
Explain broadly what the project aims to achieve and what
type of processing it involves
The project aims to provide financial inclusion for the unbanked population through its
three modules, i.e., wallet, social banking and marketplace/business hub. The primary
goal is to enable individuals without access to traditional banking services to engage in
financial transactions.
The processing involves the collection, storage, and utilization of personal data for various
purposes, such as creating digital wallets, facilitating social banking interactions, and
delivering targeted marketing content. The platform will manage user information to
enable secure and seamless financial transactions.
Who are the targeted data subjects? The targeted data subjects are individuals and entities within the unbanked population
who lack access to traditional financial services. These individuals include low-income
earners, marginalized communities and those residing in areas with limited banking
infrastructure.
What are the classes of data to be collected? Registration documents: To establish a unique digital identity for users.
Mobile Number: For communication, account verification, and transaction notifications.

Selfie Photo: Facial recognition for identity verification during the onboarding process.
What is the class of data subject ? (i.e. are there any
vulnerable groups / children that form part of the data
subjects)?
The primary class of data subjects includes the unbanked population seeking financial
inclusion. Within this group, there may be subcategories, such as individuals with limited
financial literacy or those residing in remote areas, and any vulnerable groups, such as
elderly users or minors, who are part of the targeted data subjects.
Describe Information Flow
Describe the collection, use, storage, transfer, archival and deletion of personal data here (It may be in a flow diagram or another format explaining
data flows) Information Flow
Collection: Where are you getting data from? The data will primarily be sourced directly from the individuals using the platform. User-
provided information such as ID numbers, telephone numbers, and selfies will be
collected during the onboarding process. The ID details are further validated through
IPRS .
Collection: How is the data being collected? Data will be collected through a digital onboarding process where users submit their ID
numbers, telephone numbers, and facial images (selfies). The platform use secure and
encrypted channels to ensure the confidentiality and integrity of the data during the
collection process.
Collection: How many individuals are likely to be affected
by the project?
The number of individuals affected will depend on the platform's adoption rate within the
target unbanked population.
A preliminary estimation of the potential user base will be conducted to gauge the scale of
the impact and assess the resources needed for data management.
Collection: How much data is likely to be collected? Personal and entity identification information
Storage: Where will the data be stored? The data will be stored in a secure on premise storage systems.
Storage: How long will the data be stored? Personal data will be stored for as long as necessary to fulfil the purposes for which it was
collected.

Usage: To what extent is the data being processed? The data will be processed to facilitate various platform functionalities, including user
onboarding for financial transactions.
Transfer: Where could the data be transferred to? Data will be transferred between servers within the Clic’s infrastructure
Archival: How will the data be archived? This will involve transferring data to a dedicated archival system
Disposal: How will the data be disposed? Using data erasure, software-based shredding tools and data shredding software or
hardware to permanently destroy electronic data beyond recovery.
Describe how the data processing flow complies with the seven data protection principles:
Lawfulness, fairness and transparency The onboarding process includes obtaining explicit consent from users, ensuring
transparency about the data collection and processing activities.
Purpose limitation The platform ensures that the user data is collected and processed solely for the specified
purposes outlined during onboarding. Data obtained, including ID details, telephone
numbers, and facial images, is used exclusively for account creation and transaction
processing.
Data minimization During onboarding, the platform gathers a limited set of data, including ID numbers,
telephone numbers, and facial images, to establish user accounts.
Accuracy The automatic fetching of IPRS data enhances the accuracy of user identification during
onboarding. Regular checks and validation mechanisms are implemented to ensure the
correctness of user-provided information, reducing the risk of errors and inaccuracies in
the stored data.
Storage limitation The storage of user data is limited to what is necessary for the intended purposes. The
platform minimizes the risk of holding unnecessary data and ensures compliance with the
storage limitation principle.
Integrity and confidentiality Our security measures safeguard user data from unauthorized access, ensuring the
confidentiality of personal information. Encryption protocols and secure storage solutions
prevent data tampering, promote data integrity and maintain the trust of users in the
platform's commitment to protecting their information

Accountability The platform maintains accountability by implementing measures that demonstrate
compliance with data protection principles. This includes regular assessments, audits, and
reviews of data processing activities. Clear documentation of data processing procedures,
privacy policies, and user consent ensures accountability for handling user data
responsibly and ethically.
Part 2: An assessment of the necessity and proportionality of the processing operations in relation to purpose
Describe compliance and proportionality, measures, in particular:
What is your lawful basis for processing This is based on the necessity of processing for the performance of a contract, as
users voluntarily engage with the platform to access financial services.
Additionally, consent is obtained during onboarding, providing a legal basis for
processing personal data.
How is consent to be obtained, if at all? Consent is obtained explicitly during the onboarding process. Users are presented
with clear and concise information about the data processing activities and must
actively agree to these terms before proceeding with the registration process.
Does the processing actually achieve your purpose? The processing activities align with the platform's defined purposes, ensuring that
the data collected is necessary for the creation of user accounts.
Is there another way to achieve the same outcome? The automated fetching of IPRS data enhances the accuracy of user identification
during onboarding.
How will ensure data quality and minimisation The data minimization principle is followed by collecting only the information
required for the intended purpose, reducing the risk of processing excessive or
irrelevant data.
What information will you give individuals? Individuals are provided with clear and transparent information about the data
processing activities during onboarding. This includes details about the types of
data collected, the purposes of processing, and the involvement of IPRS for ID and
PIN details.
How will you help to support their rights? The platform facilitates the exercise of individuals' rights by providing accessible
mechanisms for users to manage their data. This includes features to review and
update personal information.

What measures do you take to ensure compliance by the data
controller and processor?
To ensure comp
liance, the platform conducts regular assessments, audits, and reviews of data
processing activities. Clear documentation of data processing procedures, privacy
policies, and user consent is maintained. The platform actively monitors changes in
data protection laws and adjusts its practices accordingly.
What parties are involved in the processing and what are
their specific roles?
ABC Bank is the primary data processor, and it determines the purposes and
methods of processing secure storage for automated data retrieval.
How do you safeguard the processing of personal data? Through robust security measures, including encryption protocols, access controls,
and regular security audits. The platform implements industry-standard practices to
protect against unauthorized access, data breaches, and other security threats.
How do you safeguard any international transfer? The platform adheres to relevant legal mechanisms and data transfer mechanisms
approved by data protection authorities. These safeguards ensure that personal data
transferred internationally is adequately protected under data protection laws.
Part 3: An assessment of the risks to the rights and freedoms of data subjects
ASSESSMENT QUESTIONS (Screening Questions).
Explain what practical steps you will take t o ensure that you identify
and address privacy risks
One question answered ‘yes’ – DPIA not required, but recommended
At least two questions answered ‘yes’ – DPIA required
No questions answered ‘yes’, and the Initiative will have a minimal impact
on privacy – DPIA not required
YES
(Please give explanation)
NO
(Please give explanation)
Are you implementing a new system or process ? YES
The platform is implementing a new
system for financial inclusion
involving processes and functional
features.

Are you significantly changing a current system or process? NO
While modifications are introduced, they
do not constitute a significant change to
the existing system, ensuring a level of
continuity.
Will the project involve the collection of new identifiable or
potentially identifiable data about data subjects?
NO
The data collected remains within the
scope of personal identification, with no
introduction of entirely new categories of
identifiable information.
Will the project compel data subjects to provide information
about themselves, i.e. where they will have little awareness
or choice?
NO
The data collected remains within the
scope of personal identification, with no
introduction of entirely new categories of
identifiable information.
Will identifiable information about the data subjects be
shared with other organizations or people who have not
previously had routine access to the information?
NO
The data-sharing practices will remain
within established routine access, ensuring
responsible handling of identifiable
information.
Are you using information about data subjects for a purpose
it is not currently used for in a new way i.e. using data
collected to provide care for an evaluation of service
development / marketing ?
NO
The data collected will be exclusively used
to aid in the provisioning of financial
services.

Where the information about data subjects is being used,
would this be likely to raise privacy concerns or
expectations, i.e. will it include health records, criminal
records or other information that people may consider to be
sensitive and private and may cause them concern or
distress?
NO
The nature of the project minimizes the
likelihood of involving sensitive
information, such as health or criminal
records, reducing potential concern or
distress for individuals.
Will the project require you to contact data subjects in ways,
which they may find intrusive, such as telephoning or
emailing them without their prior consent?
NO
User contacts will be initiated with their
explicit consent during onboarding,
ensuring a non-intrusive communication
approach.
Will the project result in you making decisions in a way
which can have a significant impact on data subjects, i.e.
will it affect the services a person receives?
NO
The potential impact on decision-making is
deemed minimal, with the project's
functionalities designed to avoid
significant impacts on the services received
by users.
Does the project involve you using new technology which
might be perceived as being privacy intrusive, i.e. using
biometrics, facial recognition or automated decision
making?
NO
The technology used aligns with standard
data processing practices, without the
introduction of technologies perceived as
privacy intrusive.
Is a service being transferred to a new supplier (i.e. re-
contracted) and the end of an existing contract?
NO

There is no indication of service transfer
or re-contracting
Is processing of identifiable / potentially identifiable data
being moved to a new organization (but with the same staff
and processes)?
NO
There is no indication of data processing
relocation to a new organization, ensuring
the continuity of processes with the existing
staff and practices.
Example:Types of risks associated with the processing of personal data

Risks to data subjects
Risk of processing being unlawful and/or regarded as unfair due to more personal data being collected than is necessary for the intended purposes of
the processing
Risk of personal data being inaccurate due to collection or processing methods or the nature of the personal data being processed
Risk of personal data being retained longer than necessary or not properly managed so that duplicate records are created
Risk of personal data being inadvertently manipulated due to human error or otherwise
Risk of personal data being disclosed or accessed inappropriately due to inadequate access and disclosure controls
Collection of personal data may be regarded as unnecessary and/or overly intrusive having regard to the objectives of the Initiative
Risk of processing being unlawful and/or regarded as unfair due to scope and purposes of processing being extended inadvertently
Use of new technologies, approaches or methods may constitute an unjustified intrusion on the data subjects’ right to privacy
Risk of processing being regarded as unfair due to complexity of processing activities/involvement of algorithmic analysis
Risk of processing being regarded as unfair due to the combination of matching of multiple datasets
Identifiers may be collected and linked which prevent data subjects from accessing or using a service anonymously
Collection of personal data and linking identifiers may result in anonymisation being compromised
Vulnerable data subjects may be particularly concerned about risks of identification or disclosure of personal data
Processing of personal data may produce legal effects or similarly significantly affect the rights and interests of the data subject
Processing of personal data may result in inappropriate inferences being made or discrimination being suffered by the data subject
Disclosure of personal data may result in discrimination, victimisation and/or harassment
Compliance risks

Non-compliance with data protection laws, including the Data Protection Act 2019, the Kenya Information and Communication Act (especially Section
29) and other secondary legislation etc
Non-compliance with common law duty of confidentiality
Non-compliance with sector-specific legislation or standards
Associated organisational risks
Risk of regulatory sanctions and fines
Risk of reputational damage
Risk of considerable financial expenditure to mitigate any risk that has materialized
Risk of erosion of trust and confidence in processing activities resulting in loss of business
Risk of investment returns being reduced or eliminated
Risk of inaccurate, incomplete or outdated personal data having reduced value
Risk of claims from individuals for compensation

Part 4: The measures envisaged addressing the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data
and to demonstrate compliance with Data Protection Act.
Risk Assessment – Identifying Privacy Risks and Evaluating Privacy Solutions
Name of Data Controller / Processor ABC BANK
Project: CLIC
Risk Register
Owner: xxxx
Risk ID Risk Description Consequence Risk Owner Current internal
CONTROLS
(Provide details of how you
currently manage the risk)
Assessment of Risk Describe what
further ACTIONS
you will take to
reduce the
Impact/Likelihood
and mitigate the
risk.
(State who is the
risk owner for each
action)
Impact(A)
(1.2.3.4.5)
Likelihood
(B)(1.2.3.4.5)
Score=(
A+B)
R1 Unlawful processing of
personal data
1:Legal penalties,
including hefty fines
imposed by data
protection
authorities
2:Reputational
damage leading to
loss of trust among
customers and
partners
3: Lawsuits and
compensation claims
from affected
Operations 1:Establishment of
comprehensive data
protection policies and
procedures including
robust access controls,
encryption measures,
and data minimization
practices to safeguard
personal data from
unauthorized access or
exposure.
2: Conduct regular risk
assessments and privacy
impact assessments to
identify and mitigate
5 4 9

individuals resulting
in financial losses.
4.Long-Term
Business
Implications asl
processing of
personal data can
have long-term
implications for the
viability and
sustainability of an
organization
potential privacy risks
associated with data
processing activities
ensuring compliance
with relevant data
protection laws and
regulations.
3: Foster a culture of
privacy and data
protection within the
organization by raising
employee awareness
thus promoting
accountability, and
maintaining regulatory
compliance through
ongoing monitoring and
adaptation to evolving
threats and regulations.
R2 Processing of
inaccurate personal
data
1: Decision-Making
and Operations:
Inaccurate data can
undermine the
effectiveness of
decision-making
processes and
business operations.
Organizations rely
on accurate data for
Operations
1. Data Validation at
Point of Entry: We’ve
Implement data
validation checks and
controls at the point of
data entry such as when
customers open
accounts, apply for
loans, or update their
personal information, the
3 2 5

various purposes
such as customer
profiling, marketing
campaigns, product
development and
risk assessment.
Inaccurate data may
lead to suboptimal
outcomes and
missed opportunities
as it can distort
analytical insights
and forecasting
models that
eventually affects
organization's
strategic planning
and competitiveness.
2: Legal Liabilities
and Civil
Claims:Inaccurate
data processing can
expose organizations
to legal liabilities
and civil claims
from affected
individuals. If
individuals suffer
harm, financial loss
or emotional distress
due to inaccuracies
information shared is
validated against trusted
sources such as
government-issued IDs
to ensure accuracy and
completeness.
2. Training and
Awareness Programs:
The bank has launched
comprehensive training
and awareness programs
to bank employees on
data protection
principles, regulatory
requirements and the
importance of
maintaining data
accuracy. As a result, the
frontline staff, customer
service representatives
and back-office
personnel now
understand their roles
and responsibilities in
verifying and
maintaining accurate
customer data in the
wake of data protection.

in their personal
data, they may seek
compensation
through legal action
R2 Personal data being
retained longer than
necessary
1.Violation of Data
Minimization
Principle: Data
protection laws, such
as the GDPR,
require organizations
to adhere to the
principle of data
minimization which
means that personal
data should be
adequate, relevant
and limited to what
is necessary for the
purposes for which it
is processed.
Retaining personal
data longer than
necessary violates
this principle and
exposes ABC Bank
to potential
regulatory scrutiny
Operations
1. Data Retention
Policies: The bank has
developed and
implemented clear data
retention policies
specifying the types of
personal data collected,
the purposes for which it
is collected and the
retention periods for
different categories of
data. These data
retention policies are
regularly reviewed and
updated to reflect
changes in regulatory
requirements, business
needs and technological
advancements.
2: Regular Data Audits
and Reviews: The bank
Conducts regular audits
and reviews of personal
data stored within ABC
1 2 3

and enforcement
actions.
2: Ineffective Data
Management and
Storage Costs :
Retaining personal
data longer than
necessary leads to
ineffective data
management
practices and
unnecessary storage
costs. Storing
outdated or
irrelevant data
consumes resources
and infrastructure
without providing
any meaningful
value to the bank.
ABC Bank may
incur additional
expenses for
maintaining and
securing
unnecessary data
including storage,
maintenance and
cybersecurity
measures.
Bank's systems and
databases to identify
outdated, obsolete or
unnecessary data.
Additionally, the bank
has established
procedures for reviewing
and validating the
continued relevance and
necessity of retained
data and takes the
appropriate actions such
as deletion or archival
based on the audit
findings.

Inadvertent
manipulation of
personal data due to
human error or
otherwise
1: Increased
Regulatory
Scrutiny: Following
a data protection
incident, regulatory
authorities may
increase their
scrutiny of ABC
Bank's data handling
practices and
compliance efforts.
This could result in
additional audits,
inspections or
enforcement actions
placing further
pressure on the
bank's resources and
reputation.
2: Remediation
Costs: The Bank
may incur
significant costs to
remediate the
consequences of
inadvertent data
manipulation. This
could include
Operations
1: Incident Response
and Reporting
Procedures: The bank
has established incident
response and reporting
procedures to promptly
address data quality
issues, errors or
incidents of inadvertent
manipulation.
has defined clear
escalation paths,
reporting channels and
response protocols for
employees to report and
escalate data quality
issues to the appropriate
authorities.
2: Vendor
Management and
Oversight: The bank
has implemented
vendor management and
oversight processes to
ensure that third-party
vendors and service
providers adhere to data
2 1 3

conducting
investigations,
implementing
corrective measures,
providing
compensation to
affected individuals
and investing in
enhanced data
protection measures.
protection standards and
maintain the accuracy of
customer data.
Personal data being
disclosed or
accessed
inappropriately due
to inadequate
access and
disclosure controls
1: Loss of
Customer Trust
and Business
Impact:
Inadequate access
and disclosure
controls can
undermine
customer trust and
confidence in
ABC Bank's
ability to protect
their personal data
and privacy.
Customers may
Operations
1. Role-Based Access
Controls (RBAC): The
bank has implemented
RBAC to restrict access
to personal data based
on employees' roles,
responsibilities and the
principle of least
privilege.
2. Access Logging and
Monitoring: The bank
has put in place access
logging and monitoring
mechanisms to track and
record access to personal
data by employees,
2 2 4

choose to switch to
competitors or
reduce their
engagement with
the bank resulting
in a loss of
business, revenue
and market share.
2: Operational
Disruption and
Remediation
Costs: Data
breaches or
unauthorized
access incidents
can disrupt ABC
Bank's operations
leading to service
interruptions,
system downtime
and operational
inefficiencies.
including the date, time
and purpose of access.
Collection of
personal data is Legal Non-
Compliance:
Collecting personal
data that is
Operations
Privacy by Design and
Default: The bank has
adopted privacy by
2 2 4

unnecessary and/or
overly intrusive
unnecessary or overly
intrusive violates the
principles of data
minimization and
purpose limitation
under data protection
laws. Non-compliance
with these principles
can result in
investigations,
audits, and
enforcement actions
by regulatory
authorities leading
to fines, penalties or
sanctions against
ABC Bank.
design and default
principles in the
development of
products, services and
systems. This ensures
that data collection
mechanisms prioritize
privacy and incorporate
features such as data
minimization,
anonymization and user
consent.
Personal data being
processed for a new
or different purpose
Customer
Complaints and
Litigation:
Customers or data
subjects affected by
the unauthorized
processing of their
personal data may
file complaints with
regulatory
authorities or initiate
legal proceedings
Operations
Consent Management
Processes: The bank has
in place robust consent
management processes
to obtain explicit,
informed and freely
given consent from
individuals before
processing their personal
data for new or different
purposes. This ensures
that consent is obtained
2 2 4

against the bank.
Litigation related to
data protection
violations can result
in financial
liabilities, legal
expenses and
damages awarded to
affected individuals
for any harm,
distress or loss
suffered due to the
unauthorized
processing of their
data.
in a clear and transparent
manner providing
individuals with
sufficient information
about the purposes of
data processing, the
types of data collected
and their rights.
Unjustified
intrusion on the
data subjects’ right
to privacy
Operational
Disruptions and
Remediation Costs:
Addressing the
consequences of
unjustified intrusion
may necessitate
operational
disruptions, resource
reallocation and
remediation efforts
within ABC Bank.
The bank may incur
Operations
ICT
Access Controls and
User Permissions: The
bank has Implement
access controls and user
permissions to restrict
access to personal data
based on the principle of
least privilege. This
ensures that only
authorized personnel
have access to sensitive
customer information
and regularly review and
1 1 2

additional costs
associated with
implementing
corrective measures,
enhancing data
protection measures
and restoring trust
among stakeholders.
update access
permissions as needed.
Unfair processing
due to complexity
of processing
activities/involveme
nt of algorithmic
analysis
1: Fines and
Penalties:
Regulatory
authorities may
impose fines and
penalties on ABC
Bank for violations
of data protection
laws. The GDPR
allows for fines of
up to 4% of the
organization's
annual global
turnover, whichever
is higher for serious
infringements
including unfair
processing practices.
Operations
ICT
1: Algorithm
Governance
Framework: The bank
has established an
algorithm governance
framework to oversee
the development,
deployment and use of
algorithms in data
processing activities.
This framework defines
roles, responsibilities
and decision-making
processes related to
algorithmic analysis.
2: Algorithm
Transparency and
Explainability: The
bank has ensured the
2 3 5

2: Legal Actions
and Lawsuits: Data
subjects may file
complaints with
regulatory
authorities or initiate
legal actions against
ABC Bank for unfair
processing practices.
This could result in
legal liabilities,
damages and
reputational harm
for the bank.
transparency and
explainability of
algorithms used in data
processing activities.
Document algorithms
including their inputs,
outputs, logic and
decision-making criteria
to enable stakeholders to
understand and assess
their impact.
Unfair processing
due to the
combination or
matching of
multiple datasets
Loss of Customer
Trust: Unfair
processing practices
such as combining
or matching datasets
without transparency
or consent can
undermine customer
trust and confidence
in ABC Bank's
commitment to
protecting their
privacy and personal
data. Customers may
Operations
ICT
Data Mapping and
Inventory: The bank
has conducted a
comprehensive data
mapping exercise and
identified all datasets
within the bank
including sources, types
of data and data flows.
1 3 4

feel betrayed or
misled if they
discover that their
data has been
unfairly processed or
used for purposes
they did not consent
to leading to a loss
of trust and loyalty
to the bank.
Pseudonymised
personal data can
be relinked to
identify a data
subject.
Legal and
Regulatory
Penalties: If
personal data is
not adequately
protected and
pseudonymization
is compromised,
the bank may face
legal consequences
including fines and
sanctions imposed
by regulatory
authorities for
violating data
protection laws.
These penalties
Operations
ICT
Encryption and Data
Masking: The bank
has ensured that
sensitive data,
including
pseudonymized
personal data, is
encrypted both in
transit and at rest.
Additional , the bank
has implemented data
masking techniques to
conceal certain parts
of sensitive data thus
limiting access to only
those who need it for
legitimate purposes.
1 4 5

can be substantial
and could damage
the bank's
reputation.
Anonymization
Techniques: The
bank has put in place
advanced
anonymization
techniques such as
differential privacy or
k-anonymity to
further protect the
privacy of individuals
while still allowing for
meaningful data
analysis.
Anonymised
personal data can
be relinked to
identify a data
subject
Loss of
Competitive
Advantage:
Failure to
adequately protect
customer data may
lead to loss of
competitive edge
in the market.
Customers are
increasingly
concerned about
privacy and
security and they
Operations
ICT
Data Loss Prevention
(DLP) Solutions: The
bank has implemented
(Network,Email,Endp
oint and cloud ) DLP
solutions to monitor
and prevent
unauthorized transfer
or access to sensitive
data. These solutions
can helps detect and
block attempts to
relink anonymized
2 3 5

may choose to take
their business to
competitors with
better reputations
for safeguarding
personal
information.
data or unauthorized
data access.
Vulnerable group
may risk disclosure
of personal
information
Damage to
Customer
Relationships:
Personal
information is
often considered
sacred by
customers and a
breach of this trust
can lead to
damaged
relationships. This
is especially true
for vulnerable
groups who may
already be wary of
engaging with
financial
institutions.
Restoring these
Operations
ICT
Employee Training
and Awareness: The
bank has provided a
comprehensive
training and awareness
programs to educate
employees about data
protection policies,
best practices for
handling sensitive
information and the
importance of
safeguarding customer
data especially for
vulnerable groups.
2 3 5

relationships can
be challenging and
may require
significant effort
and investment in
rebuilding trust.
Automated
decisions are made
without human
intervention
Violation of
Privacy Rights:
Automated
decisions might
not adequately
consider individual
privacy rights or
data protection
principles. This
could lead to the
unauthorized
processing of
personal data or
decisions being
made based on
inaccurate or
incomplete
information.
Lack of
Accountability:
Operations
ICT
Bias Detection and
Mitigation: The bank
has embarked in the
process of regular
monitoring of
automated decision-
making systems for
biases and
discriminatory
outcomes using
techniques such as
fairness assessments
and algorithmic
audits. Additionally,
the bank has
implemented controls
to mitigate biases in
data sources and
algorithmic models
such as data
preprocessing
3 3 4

Without human
intervention, it
may be
challenging to
establish
accountability for
decisions made by
the system. This
could make it
difficult for
individuals to
challenge
decisions that
affect them such as
denial of a loan or
credit card
application.
Bias and
Discrimination:
Automated
systems can inherit
biases from the
data they are
trained on leading
to discriminatory
outcomes which
would be in
violation of anti-
techniques,
algorithmic
adjustments and
diversity in training
data.

discrimination
laws. Without
human oversight,
it may be harder to
detect and mitigate
these biases.
Compliance
Risk
Non compliance
with Privacy laws
e.g. DPA 2019,
GDOR, KICA (Sec
99) & other
secondary
legislations
Financial
Penalties and
Loss of Business
Opportunities: :
Non-compliance
with privacy laws
may result in
monetary
penalties. These
fines can amount
to up to €20
million or 4% of
the organization's
global annual
turnover,
whichever is
higher.
Additionally, it
Operations
ICT
To mitigate the risks
associated with non-
compliance with
privacy laws and
regulations, the bank
have implemented a
range of internal
controls such as
Compliance Policies
and Procedures, robust
data governance
framework to manage
the collection, storage,
processing and sharing
of personal data in
compliance with
privacy laws, risk
assessments to
4 4 2

may result in the
loss of business
opportunities as
customers and
partners may
choose to
disengage from
dealings with the
bank due to
concerns about
data protection and
privacy. This can
lead to a loss of
revenue and
market share.
identify potential
privacy risks and
vulnerabilities within
the bank's operations,
systems, and
processes and
technical and
organizational security
controls to protect
personal data from
unauthorized access,
disclosure, alteration
or destruction.
Non-compliance
with common law
duty of
confidentiality
Civil and
Criminal
Liability: The
breaches of
confidentiality and
non-compliance
with data
protection laws
can result in civil
lawsuits and even
criminal
prosecution.
Operations
ICT
To mitigate the
consequences
associated with non-
compliance with the
common law duty of
confidentiality
particularly in line
with data protection
principles the bank
have implemented a
range of internal
controls such as
3 3 4

Individuals
affected by
privacy breaches
may seek damages
for financial
losses, emotional
distress and other
harm suffered as a
result of the
breach.
Confidentiality
Policies and
Procedures, Data
Encryption, Security
Awareness Training
and Data Loss
Prevention (DLP).
These controls aim to
ensure the
confidentiality,
integrity and security
of customer
information while
adhering to legal and
regulatory
requirements.
Non-compliance
with sector-specific
legislation or
standards (e.g.
Banking Act)
Legal and
Regulatory
Sanctions: Non-
compliance with
sector-specific
legislation such as
the Banking Act,
can result in legal
and regulatory
sanctions.
Regulatory
authorities may
Operations
ICT
BC Bank conducts
regular compliance
audits to assess
adherence to sector-
specific legislation
and data protection
requirements by
engaging internal or
external auditors with
regulatory expertise to
identify and address
any gaps in practices.
2 1 7

impose fines
,penalties or other
punitive measures
on the bank for
violating statutory
requirements
related to data
protection.
Loss of License or
Accreditation:
Serious breaches
of sector-specific
legislation may
lead to the
suspension or
revocation of the
bank's license or
accreditation to
operate in the
financial services
sector. This could
have severe
consequences for
the bank's ability
to conduct
business and
maintain its
market position.
invests in
comprehensive
employee training and
awareness programs
covering pertinent
legislation and data
protection protocols
thus ensuring staff
understand their
compliance
responsibilities and
fostering a culture of
accountability. These
measures collectively
mitigate the risk of
non-compliance,
safeguarding the
bank's reputation and
regulatory standing.

Organizational
Risk
Risk of regulatory
sanctions and fines
Penalties can
include significant
monetary fines
imposed by
regulatory
authorities, often
scaled to the
severity and
duration of the
breach. Beyond
financial impact,
ABC bank may
suffer reputational
damage, eroding
trust among
stakeholders,
including
customers,
partners, and
investors.
Operations
ICT
ABC Bank has
instituted robust
internal controls to
ensure regulatory
compliance and
protect customer data.
These measures
include encrypting
sensitive data,
conducting regular
compliance audits and
providing
comprehensive
employee training on
data protection laws
and best practices
3 3 4
Risk of reputational
damage
A breach of data
protection laws
can lead to
Operations
ICT
ABC Bank has
established a
comprehensive
2 2 6

negative publicity,
erode customer
trust and tarnish
the company's
brand image.
Customers may
lose confidence in
the organization's
ability to protect
their sensitive
information
resulting in
customer attrition
and decreased
loyalty.
compliance
framework to mitigate
the risk of reputational
damage stemming
from non-compliance
regulations, notably
the Data Protection
Act (DPA). This
framework includes
robust data protection
policies and
procedures, regular
awareness programs,
thorough vendor
management practices
and a well-defined
incident response
plan.
Risk of considerable
financial
expenditure to
mitigate any risk
that has materialised
Significant
financial
expenditure to
mitigate
materialized risks
under the Data
Protection Act
Operations
ICT
The bank has been
conducting
comprehensive risk
assessments,
establishing a robust
compliance
framework aligned
2 3 5

(DPA) and which
can severely
impact the bank,
straining financial
resources and
jeopardizing
operational
sustainability.
with DPA
requirements,
providing ongoing
training and awareness
programs for
employees,
implementing data
encryption and
security measures,
conducting regular
compliance audits,
developing an incident
response plan,
managing vendors
effectively, and
ensuring board
oversight and
governance of data
protection activities.
Risk of erosion of
trust and confidence
in processing
activities resulting
in loss of business
A breach of data
protection laws
can lead to
negative publicity,
erode customer
trust and tarnish
the company's
brand image.
Operations
ICT
ABC Bank has
established a
comprehensive
compliance
damage stemming
from non-compliance
2 2 6

Customers may
lose confidence in
the organization's
ability to protect
their sensitive
information
resulting in
customer attrition
and decreased
loyalty.
the Data Protection
Act (DPA). This
framework includes
policies and
procedures, regular
awareness programs,
thorough vendor
and a well-defined
incident response
plan.
Risk of investment
returns being
reduced or
eliminated
Financial
Penalties and
Loss of Business
Opportunities: :
Non-compliance
with privacy laws
may result in
monetary
penalties. These
fines can amount
to up to €20
million or 4% of
Operations
ICT
ABC Bank has
established a
comprehensive
compliance
damage stemming
from non-compliance
the Data Protection
Act (DPA). This
2 3 5

the organization's
global annual
turnover,
whichever is
higher.
Additionally, it
may result in the
loss of business
opportunities as
customers and
partners may
choose to
disengage from
dealings with the
bank due to
concerns about
data protection and
privacy. This can
lead to a loss of
revenue and
market share.
framework includes
policies and
procedures, regular
awareness programs,
thorough vendor
and a well-defined
incident response
plan.
Risk of claims from
individuals for
compensation
ABC bank may
suffer reputational
damage, eroding
trust among
stakeholders,
including
Operations
ICT
ABC Bank has
established a
comprehensive
compliance
2 2 6

customers,
partners, and
investors.
damage stemming
from non-compliance
the Data Protection
Act (DPA). This
framework includes
policies and
procedures, regular
awareness programs,
thorough vendor
and a well-defined
incident response
plan.
Part 5: Sign off and Record Outcomes
ITEM DESCRIPTION NAME / DATE NOTES / INSTRUCTIIONS
Measures approved by: Integrate actions back into project plan, with date and responsibility
for completion
Residual risk approved by: If accepting any residual high risk, consult the ODPC before going
ahead.
DPO advise provided: DPO should advise on compliance, Part 4 measures and whether
processing can proceed.

Summary of DPO advise:
DPO advise accepted or overruled by: If overruled, you must explain your reasons
Comments:
Consultation responses reviewed by: If your decisions departs from individuals’ views, you must explain
your reasons
Comments:
Consultation with Office of the Data
Protection Commissioner response
Comments:
This DPIA will be kept under review by: The DPO should also review ongoing compliance with DPIA
Risk assessment methodology
Evaluation of Likelihood
Likelihood score 1 2 3 4 5
Description Rare Unlikely Possible Likely Almost certain
Frequency Will probably never happen
Not anticipated to
happen, but possible
Might happen or
recur occasionally
Will probably happen
or recur, but
notpersistently
Almost certain to happen or
recur,possibly frequently
Evaluation of impact of harm

Likelihood score 1 2 3 4 5
Description Very Low Low Medium High Very High
Impact Unlikely to have any impact May have an impact Likely to have an impact
Highly probably it
will have a
significant impact
Will have a major impact
Overall evaluation of risk
IMPACT Very High 5
High 4
Medium 3
Low 2
Very Low 1
Rare Unlikely Possible Likely Almost certain
1 2 3 4 5
LIKELYHOOD
LOW MEDIUM HIGH

DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx

More Related Content

What's hot

Similar to DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx

Recently uploaded

DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx