Creating DPIAs
Specifically, DPIAs help to:
- Identify and minimize risks: The primary goal of a DPIA is to systematically analyze, identify, and minimize the data protection risks of a project or process.
- Evaluate necessity and proportionality: Assess whether the data processing operations are necessary and proportionate to achieve the intended purpose.
- Facilitate communication with data subjects: Ensure transparency and the ability to inform data subjects about the risks involved in data processing and the measures taken to mitigate those risks.
- Document compliance: Provide a documented process that demonstrates your organization’s accountability and compliance with GDPR.
DPIA Overview
Under the "DPIA" tab, you will find an overview of all your Data Protection Impact Assessments with the following information:
- Processing Activity: Displays the specific processing activity that was assessed in the DPIA.
- Creation Date: Shows the date when the DPIA was created, helping to keep track of when assessments were conducted.
- Authorities Informed: Indicates whether the relevant data protection authorities have been informed about this DPIA. This is crucial for high-risk processing activities that require regulatory notification.
- Overall Risk: Reflects the final risk level determined after completing the DPIA, such as "Low," "Medium," or "High."
By clicking on one of the assessments, you can enter the DPIA’s detail view, where you can find more comprehensive information about the specific assessment, including any associated tasks, identified risks, and mitigation measures.
Creating a DPIA
1. Navigate to the "DPIA" tab in the Kertos platform.
2. Click on the "+ Add Assessment" button to start creating a new DPIA.
3. Complete the Risk Assessment
- Processing Activity: In the first step of the DPIA creation process, you will be prompted to define the processing activity that the DPIA will cover. A dropdown menu will appear, allowing you to select from a predefined list of activities.
Select the processing activity that best matches the data processing operation you intend to assess. This selection is crucial as it will guide the focus of your DPIA, determining the types of risks and mitigations that need to be considered.
- Draft / Active Status: The DPIA can be initially saved as a draft or as active.
- Click "Add Risk" to create a new Risk.
- Fill out these fields:
- Title: Enter a descriptive title for the identified risk.
- Risk Description: Provide a detailed description of the risk, including any factors that contribute to its potential impact on data subjects.
- Likelihood: Select the likelihood of the risk occurring from the dropdown menu (e.g., Low, Medium, High, Very High).
- Severity: Choose the severity (e.g., Low, Medium, High, Very High) of the risk if it were to materialize.
- Overall Risk: The system will automatically calculate the overall risk level based on your inputs for likelihood and severity.
- Does the company accept this risk? Indicate whether your organization is willing to accept the identified risk by selecting "Yes" or "No". For “No”:
- Mitigation Mechanisms: If the risk is not accepted, you can outline the measures your organization will implement to mitigate the risk. This might include technical controls, policy changes, or other relevant actions.
- Residual Risk Outcome: After implementing mitigation measures, select the residual risk outcome to reflect the new level of risk following these measures.
- Notes: Add any additional notes or observations related to the risk assessment. This section can be used to document decisions, discussions, or additional context that may be relevant for future reference.
- Once you have completed filling out the risk’s information, you can add another risk or continue to the next stages of the DPIA.
4. Click "Next" to proceed to the Assessment of Data Subject Rights section of the DPIA.
5. Assess Data Subject Rights
The next step in creating a DPIA involves assessing the impact of your data processing activities on the rights of data subjects. Kertos provides a comprehensive checklist of these rights, allowing you to evaluate how each right may be affected by the processing activity you are assessing.
You can toggle each right on or off depending on whether it is relevant to the specific DPIA you are conducting.
6. Describe Necessity and Proportionality
In this section, you will provide a detailed explanation of why the processing activity is necessary and how it is proportionate to the aims it seeks to achieve. Consider the following points:
- Necessity: Justify why the processing is required for the specific purpose. Explain if there are any alternative methods that could achieve the same goal with less impact on data privacy.
- Proportionality: Discuss how the processing activity balances the intended benefits against the potential risks to data subjects. Ensure that the measures you are taking are not excessive relative to the purpose of the processing.
7. Evaluation & Review
Final Assessment:
This should include a summary of the risks identified, the measures taken to mitigate these risks, and an overall evaluation of the necessity and proportionality of the processing activity.
Authorities Informed:
At this stage, you also need to indicate whether the relevant data protection authorities have been informed about this DPIA. This is particularly important if the DPIA reveals high risks that cannot be mitigated adequately, as informing the authorities is a requirement under GDPR in such cases.
Select "Yes" or "No" to confirm whether the authorities have been notified.
8. Click "Save" to complete the DPIA process.