Saturday, September 16, 2017

Data Protection Impact Assessment

The GDPR sets forth the need and requirement of a Data Protection Impact Assessment. 

"Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks."    [GDPR Article 35, Paragraph (1)].  

The assessment shall contain at least:  [GDPR Article 35, Paragraph (7)].  

(a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; 
(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; 
(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and 
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.