SlideShare a Scribd company logo
1 of 23
Data Protection
Impact Assessment:
(EU GDPR
Requirement)
JOHN KYRIAZOGLOU
Flevy special publication
First published in November 2016
Annex 2: Data Protection Risk Identification Questionnaire
This annex contains a set of 52 (52) questions that enable enterprise managers to identify
whether the processing operations of their company can be perceived as potentially risky to the
protection of personal data of the individuals.
The purpose of this is to support you better in executing a DPIA for your company.
Annex 3. Privacy Risk Register
This annex contains a form that could be used to manage your privacy risks.
The purpose of this is to support you better in executing a DPIA for your company.
Annex 4. Suggested DPIA Report Format
This annex contains a standard report format that could be used to report the progress on all
privacy actions.
The purpose of this is to support you better in executing a DPIA for your company.
Annex 5. Proposed Risk Resolution Actions
This annex contains a set of proposed resolution actions for the risks related to following data
protection issues: Purpose specification; Data limitation; Information and access rights; Legal
basis for personal data processing and transfer; Personal data rectification and deletion; Personal
data quality and accuracy; Personal data security; Personal data sharing; Personal data retention;
and Personal data accountability.
The purpose of this is to support you better in executing a DPIA for your company.
Annex 6: Personal Data Checklist
This annex identifies some common types of personal data that are linked to individuals and
which (data) may be collected, processed, maintained, shared or used by enterprises in the
current socio-economic, business and digital environment.
The purpose of this list is to be used as a baseline to ensure they you have identified all personal
data that may be subject to applicable laws, regulations, and policies, so that you execute better
your DPIA for your company..
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
Component 7: Data Protection Impact Assessment
Organizational data protection risk management processes operate across the life cycles of all
business processes and systems that collect, use, maintain, share, or dispose of personal data.
Data protection must be designed into management systems by default. Privacy impact
assessments (PIAs) – or what the GDPR calls data protection impact assessments (DPIAs) must
be done for technologies and processes that are likely to result in a high risk to the rights of data
subjects. Most companies/organizations should, as part of their privacy-by-design and default
strategies, ensure that a DPIA is part of their risk assessment process in respect of personal data.
According to Article 35 (Data protection impact assessment) of the GDPR:
‘4. A data protection impact assessment referred to in paragraph 1 shall in particular be required
in the case of:
(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is
based on automated processing, including profiling, and on which decisions are based that
produce legal effects concerning the natural person or similarly significantly affect the natural
person;
(b) processing on a large scale of special categories of data referred to in Article 9(1), or of
personal data relating to criminal convictions and offences referred to in Article 10; or
(c) a systematic monitoring of a publicly accessible area on a large scale.
The supervisory authority shall establish and make public a list of the kind of processing
operations which are subject to the requirement for a data protection impact assessment pursuant
to paragraph 1. The supervisory authority shall communicate those lists to the Board referred to
in Article 68.
5.The supervisory authority may also establish and make public a list of the kind of processing
operations for which no data protection impact assessment is required. The supervisory authority
shall communicate those lists to the Board. 6.Prior to the adoption of the lists referred to in
paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism
referred to in Article 63 where such lists involve processing activities which are related to the
offering of goods or services to data subjects or to the monitoring of their behaviour in several
Member States, or may substantially affect the free movement of personal data within the Union.
4.5.2016 L 119/53 Official Journal of the European Union EN
7.The assessment shall contain at least: (a) a systematic description of the envisaged processing
operations and the purposes of the processing, including, where applicable, the legitimate interest
pursued by the controller; (b) an assessment of the necessity and proportionality of the
processing operations in relation to the purposes; (c) an assessment of the risks to the rights and
freedoms of data subjects referred to in paragraph 1; and (d) the measures envisaged to address
the risks, including safeguards, security measures and mechanisms to ensure the protection of
personal data and to demonstrate compliance with this Regulation taking into account the rights
and legitimate interests of data subjects and other persons concerned.
8.Compliance with approved codes of conduct referred to in Article 40 by the relevant
controllers or processors shall be taken into due account in assessing the impact of the processing
operations performed by such controllers or processors, in particular for the purposes of a data
protection impact assessment.
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
Risks may be classified in different ways and it is critical that all types of risk are considered,
from risks to physical and mental safety of individuals, risks of financial losses to individuals
and companies, to mental risks of psychological distress caused to people due to one or more
data protection inadequacies.
Possible risks include:
1. The sharing and merging of data bases can allow companies to collect a much wider set of
personal data than individuals might expect or want.
2. Ineffective data protection and disclosure controls by the companies increase the likelihood of
personal data being shared in the wrong way.
3. Measures and controls taken against individuals as a result of collecting personal data about
them might be seen as intrusive.
4. The context in which personal data are used or disclosed can change over time, leading to the
case where the collected personal data used for different purposes without people’s knowledge.
5. New data collection mechanisms or surveillance methods may be an unjustified intrusion on
the privacy of individuals.
6. Vulnerable people may be particularly concerned about the risks of identification or the
disclosure of their personal data.
7. Personal data which are collected and stored unnecessarily, or are not properly managed so
that duplicate records are created, present a much greater security risk.
8. If a retention period is not established, personal data might be used for longer periods than
necessary.
Companies may want to develop their own ways to identify privacy risks and should incorporate
this with their own existing corporate risk system or system development or project management
methodologies.
You may also use the following Data Protection Impact Assessment Methodology or develop
your own way to do this, based on a more general approach to managing risk.
2. Data Protection Impact Assessment Methodology
This risk assessment methodology described in the following paragraphs evaluates risks related
to the following ten (10) critical data protection issues of the EU Data Protection Regulation:
Purpose specification; Data limitation; Information and access rights; Legal basis for personal
data processing and transfer; Personal data rectification and deletion; Personal data quality and
accuracy; Personal data security; Personal data sharing; Personal data retention; and Personal
data accountability.
These are detailed next.
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
Step 2.5: ‘Legal basis for personal data processing and transfer’ risks
R #1: Risk of ‘not obtaining consent from individuals’; and
R #2: Risk of ‘fines imposed by authorities’.
The first risk (‘not obtaining consent from individuals’) is derived when one or more individuals
threaten to announce publicly that they did not give their consent to the company’s collection of
their personal data. And the second risk (‘fines imposed by authorities’) is the result of an
activist group that might discover instances where the company did not get the consent of the
individuals, or an employee leaks memos showing that the company does not get informed
consent.
Step 2.6: ‘Personal data rectification and deletion’ risks
R #1: Risk of ‘inability to amend data by individuals’; and
R #2: Risk of ‘bad image of the company’.
The first risk (‘inability to amend data by individuals’) is derived when some individuals may
complain about how difficult it is to see and, if necessary, amend (or even delete) their personal
data. And the second risk (‘bad image of the company’) is the result of the lack of specific and
transparent procedures to provide data subjects access to their personal data which will cause bad
publicity to the company especially if the complaints of the individuals reach the media or
activist groups or organizations.
Step 2.7: ‘Personal data quality and accuracy’ risks
R #1: Risk of ‘defective quality of data’; and
R #2: Risk of ‘unreliable decisions by the management of the company’.
The first risk (‘defective quality of data’) is derived when the staff of your company may not
have enough time, resources, or the culture to check the reliability and quality of the information
(oral, written, or digital) they receive from the individuals. And the second risk (‘unreliable
decisions by the management of the company’) is the result of poor quality information of the
personal data collected which may lead to the risk of making inappropriate, incomplete or
unreliable decisions that have a negative impact on both the individuals concerned as well as the
company itself.
Step 2.8: ‘Personal data security’ risks
R #1: Risk of ‘ineffective security controls’;
R #2: Risk of ‘data losses’; and
R #3: Risk of ‘claims for compensation by individuals’.
The first risk (‘ineffective security controls’) is the result of your security controls (physical,
administrative, technical, etc.) not implemented fully and effectively.
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
Step 3.6: Record ‘Personal data rectification and deletion’ risks
(a) Review each of the risks related to ‘Personal data rectification and deletion’ (Risk of
‘inability to amend data by individuals’; and Risk of ‘bad image of the company’).
(b) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These
fields are: <Title of risk>; <Risk owner>; <Risk sequence number>; <Date>; <Priority: High,
Medium, Low>; and <Risk description>.
Step 3.7: Record ‘Personal data quality and accuracy’ risks
(a) Review each of the risks related to ‘Personal data quality and accuracy’ (Risk of ‘defective
quality of data’; and Risk of ‘unreliable decisions by the management of the company’).
(b) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These
fields are: <Title of risk>; <Risk owner>; <Risk sequence number>; <Date>; <Priority: High,
Medium, Low>; and <Risk description>.
Step 3.8: Record ‘Personal data security’ risks
(a) Review each of the risks related to ‘Personal data security’ (Risk of ‘ineffective security
controls’; Risk of ‘data losses’; and Risk of ‘claims for compensation by individuals’).
(b) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These
fields are: <Title of risk>; <Risk owner>; <Risk sequence number>; <Date>; <Priority: High,
Medium, Low>; and <Risk description>.
Step 3.9: Record ‘Personal data sharing’ risks
(a) Review each of the risks related to ‘Personal data sharing’ (Risk of ‘inappropriate data
sharing’; Risk of ‘criminal liability due to uncontrolled sharing’; and Risk of ‘claims for
compensation by individuals’).
(b) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These
fields are: <Title of risk>; <Risk owner>; <Risk sequence number>; <Date>; <Priority: High,
Medium, Low>; and <Risk description>.
Step 3.10: Record ‘Personal data retention’ risks
(a) Review each of the risks related to ‘Personal data retention’ (Risk of ‘fines imposed by
authorities due to undefined data retention’; and Risk of ‘increased costs of data base
maintenance’).
(b) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These
fields are: <Title of risk>; <Risk owner>; <Risk sequence number>; <Date>; <Priority: High,
Medium, Low>; and <Risk description>.
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
Step 4.8: Assess ‘Personal data security’ risks
(a) Armed with the replies (see previous steps), conduct a compliance check against the EU Data
Protection Act (see articles in the ‘reference’ section above) and other relevant legislation for
each of the above-recorded risks;
(b) Assess each of the identified ‘Personal data security’ risks (Risk of ‘ineffective security
controls’; Risk of ‘data losses’; and Risk of ‘claims for compensation by individuals’) in terms of
occurrence, impact and cost to the company; and
(c) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These fields
are: <Probability of occurrence>; <Impact>; and <Expected value of impact>:
Step 4.9: Assess ‘Personal data sharing’ risks
(a) Armed with the replies (see previous steps), conduct a compliance check against the EU Data
Protection Act (see articles in the ‘reference’ section above) and other relevant legislation for
each of the above-recorded risks;
(b) Assess each of the identified ‘Personal data sharing’ risks (Risk of ‘inappropriate data
sharing’; Risk of ‘criminal liability due to uncontrolled sharing’; and Risk of ‘claims for
compensation by individuals’) in terms of occurrence, impact and cost to the company; and
(c) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These fields
are: <Probability of occurrence>; <Impact>; and <Expected value of impact>:
Step 4.10: Assess ‘Personal data retention’ risks
(a) Armed with the replies (see previous steps), conduct a compliance check against the EU Data
Protection Act (see articles in the ‘reference’ section above) and other relevant legislation for
each of the above-recorded risks;
(b) Assess each of the identified ‘Personal data retention’ risks (Risk of ‘fines imposed by
authorities due to undefined data retention’; and Risk of ‘increased costs of data base
maintenance’) in terms of occurrence, impact and cost to the company; and
(c) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These fields
are: <Probability of occurrence>; <Impact>; and <Expected value of impact>:
Step 4.11: Assess ‘Personal data accountability’ risks
(a) Armed with the replies (see previous steps), conduct a compliance check against the EU Data
Protection Act (see articles in the ‘reference’ section above) and other relevant legislation for
each of the above-recorded risks;
(b) Assess each of the identified ‘Personal data accountability’ risks (Risk of ‘fines imposed by
authorities due to non-compliance with regulations’; and Risk of ‘damages incurred by insider
data breaches’) in terms of occurrence, impact and cost to the company; and
(c) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These fields
are: <Probability of occurrence>; <Impact>; and <Expected value of impact>:
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
Chapter 3: Data Protection and Privacy Audit Tools
Summary
This chapter contains four (4) audit questionnaires (DP&P Audit Tools) with over 138 audit
questions which are designed to review, assess and improve the data protection security and
privacy aspects of all enterprise structured and unstructured data (financial, personal, production,
sales, e-mail messages, etc.) processed and maintained by the IT function and information
systems of the enterprise.
Contents
· DP&P Audit Tool #01: Data Sensitivity Protection Assessment
· DP&P Audit Tool #02: Human Resource Cultural Controls Assessment
· DP&P Audit Tool #03: Data Privacy Principles Compliance Assessment
· DP&P Audit Tool #04: Data Privacy Corporate Issues Assessment
These are described next.
1. DP&P Audit Tool #01: Data Sensitivity Protection Assessment
1.1. Overview: This audit questionnaire contains 15 questions and is designed to support the
review and audit process of your company’s Data Sensitivity Protection and the specific issues
(e.g., risk, security procedures, etc.) contained in it.
1.2. Detail Audit Questions
Question 1: Does the risk assessment process of the company evaluate the risk involved of
sensitive data files, application programs and/or operating systems accessed and/or amended
without appropriate authority?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 2: Have sensitive data and applications been identified?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 3: Have appropriate security measures been implemented to restrict users’ access to
sensitive data and programs?
Consider: user ID and passwords; menu facilities; and management approval of menu options.
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
2.2. Detail Audit Questions
Question 1: Does the organization maintain up-to-date corporate human resources policies and
procedures, an employee handbook, along with the relevant IT personnel files and their
supporting documentation?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 2: Does the organization conduct reviews, or have an ongoing reporting system for
awarding benefits and pay increases (to all personnel, including IT), to ensure that they are
operated in a fair and equitable manner?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 3: Does the organization have a positive and supportive attitude towards integrity and
ethics education and training, and does this include all personnel, including IT?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 4: Does the organization conduct periodic reviews on ethics issues for IT personnel,
and have an ongoing system to report on outside activities, financial disclosure and other
components of the ethics program?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 5: Have all IT employees received conflict of interest/ethics training?
Does the organization conduct merit promotion case file reviews for IT personnel, and have an
ongoing reporting system that is used to assure that these programs are operating in a fair and
equitable manner?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 6: Does the organization ensure that there is equity of treatment and opportunity within
the employee relations and training programs, and does this include IT personnel?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 7: Does the organization periodically review, or have an ongoing system to report, the
time and attendance of IT employees?
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 3: Have any ‘non-obvious’ uses of the data by the company been made clear to the data
subject?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Principle 3: Data Relevancy. Personal data shall be adequate, relevant and not excessive in
relation to the purpose or purposes for which they are processed.
Question 1: Is there a clear reason documented for processing each item of data by the company?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 2: Has the company verified that the same outcome or result could not be achieved,
safely and effectively, with less data?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 3: Where data is collected on a form by the company, does it indicate to the data
subject that data which is essential and that which is voluntary to give?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 4: Is the data that is being processed by the company adequate for the purpose?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 5: Is the data that is being processed by the company no more than is necessary?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 3: If data are being kept for periods longer than the legal minimum is there a good
reason for doing so and is this documented?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 4: Are files (paper, digital computerized) periodically cleaned out of irrelevant data by
the company?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 5: Is there a clear justification for the length of time the data are retained by the
company?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 6: Can it be confirmed that data held by the company are not being kept on a ‘just in
case’ basis?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Principle 6: Fair Processing. Personal data shall be processed in accordance with the rights of
data subjects under this Act.
Question 1: Does the data subject know that their personal data are being processed by the
company?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 2: Does the data subject know why their personal data are being processed by the
company?
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Principle 8: Transferring personal data overseas. Personal data shall not be transferred to a
country or territory outside the European Economic Area unless that country of territory ensures
and adequate level of protection for the rights and freedoms of data subjects in relation to the
processing of personal data.
Question 1: Where applicable, has the consent of the data subject been obtained to transfer
personal data to countries outside the European Economic Area which are not designated as
‘adequate’ by the appropriate state authority (Data Protection Authority, Information
Commissioner, etc.)?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
3.3. Evaluation Calculation for Data Privacy Principles Assessment
Score Achieved (SA) = <Summary of above scores>
Perfect Score (PS) = 440 (44 questions x10 points for each question)
Final Evaluation Grade = (SA/PS) X 100%
Date:___ Signature: __________Reviewer’s overall remarks:_________________________
4. DP&P Audit Tool #04: Data Privacy Corporate Issues Assessment
4.1. Overview: This audit questionnaire contains 71 questions and is designed to support the
review and audit process of your company’s Data Privacy Corporate aspects and the specific
issues (e.g. Organization and Management controls, Corporate Staff Training and Awareness
program, etc.) contained in them.
4.2. Detail Audit Questions
Organization and Management Issues
Question 1: Are the board and senior management members of the company/organization fully
aware of:
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
Question 4: Does induction training for new company staff include awareness of their data
protection responsibilities?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 5: Do company staff know where to seek advice from as regards data privacy and
protection?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 6: Is information security addressed in all training sessions?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 7: Are all company staff aware that unauthorised access to information of any form
(manual systems, computerized systems, etc.) is not allowed?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 8: Are all company staff leaving employment aware that any corporate (customer,
employees, research, etc.) information remains subject to confidentiality?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 9: Is there a clause to this effect built into all company staff (all levels of the
organization) employment contracts?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 10: Do all employee files maintained in the Human Resources Department include all
documents related to training and data protection controls, such as: signed confidentiality
statements by all company staff?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
Question 7: Are users required to sign the Computer Users Policy prior to having an account
created?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 8: Is there a generic administrator account?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 9: Is there a record of the authorisation process and the privileges assigned?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 10: Does management conduct a review of access rights allocated at periodic intervals
using a documented process?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 11: Are user access rights re-allocated when they move groups within the organisation?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
IT Security Issues: Removable devices/media
Question 12: Are ports relayed to CD, DVD, and USB drives enabled?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 13: Are such drives capable of copying files?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 14: Under what circumstances is ‘personal data’ held on laptops?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
Reviewer’s comments:_________________________
Question 2: What security measures (E.g. encryption) are in place for this action (i.e. data
transfer)?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 3: Are there any audit trails/logs in place for this action (i.e. data transfer)?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
IT Operations Monitoring
Question 1: Are audit logs recording: user activities, including read access, exceptions, and
information security events and produced and kept for an agreed period to assist future
investigations and access control monitoring by company management and other stakeholders?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 2: Are patterns of abnormal usage identifiable from log recording by the company IT
security staff?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 3: Has the company implemented procedures for monitoring use of information
processing systems?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 4: Are the results of such monitoring activities reviewed regularly by the appropriate
level of company management?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Business and Data Records Retention
Question 1: Is the company aware of any relevant legal requirements, or industry standards, for
periods of record retention?
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
Annex 1: Data Protection Impact Pre-Assessment Survey
Contents
1. Purpose
2. Survey Actions (SA)
2.1. SA #1: Identify population
2.2. SA #2: Define characteristics
2.3. SA #3: Describe categories of personal data
2.4. SA #4: Describe characteristics of your processing operations
2.5. SA #5: Describe monitoring activities
2.6. SA #6: Assess concerns of relevant entities
2.7. SA #7: Identify third parties
2.8. SA #8: Describe data collection mechanisms
2.9. SA #9: Describe purposes of legitimate processing
2.10. SA #10: Describe your territory
These are detailed in the next paragraphs.
1. Purpose
This pre-assessment survey includes a set of ten (10) actions. Its purpose is to enable enterprise
managers to identify whether the processing operations of their company can be perceived as
potentially risky to the protection of personal data of the individuals so that a full-fledged Data
Protection Impact Assessment is executed later.
2. Survey Actions (SA)
2.1. SA #1: Identify population. Based on the information that you process about your
company’s operations identify one or more individuals about whom you are processing personal
data.
1. Examine if the personal data used can be associated to a particular customer or employee,
either directly (e.g. by using names) or indirectly (e.g. by using license plates, social security
number, addresses, telephone numbers or other information that you hold, etc.).
2. Examine existing systems or a new project if they involve the collection of new personal data
about individuals or whether they compel individuals to provide personal data about themselves.
Explanatory remarks: If you reply ‘YES’, then your activities constitute processing of personal
data under the EU law. If you reply ‘NO’, then the data you process is not personal data under
the EU law, and you do not need to do a full-fledged DPIA.
Reply: YES__ or NO_____
Reviewer’s comments:____________
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
2.9. SA #9: Describe purposes of legitimate processing. Describe the purposes for the
legitimate processing of personal data.
Explanatory remarks: These purposes may include: Employment (recruitment and job
applications, performance, management, planning and organization of work, health and safety at
work, exercise and enjoyment of rights and benefits related to employment, etc.); Sales of
products and services to customers; Health (preventive or occupational medicine, medical
diagnosis, the provision of care or treatment or the management of health-care services, etc.);
Historical, scientific statistical or research; Enforcement of legal claims and/or compliance with
law enforcement agencies; Exercise of the right to freedom of expression or information
(including in the media and the arts), etc.
Reply: YES____(provide details) or NO_____
Reviewer’s comments:____________
2.10. SA #10: Describe your territory. Describe whether your activities take place in European
territory.
Explanatory remarks: If you are not established in European Union territory, but you offer goods
or services to individuals in the EU or monitor them, then the EU data protection regulation
applies to your company.
Reply: YES____(provide details) or NO_____
Reviewer’s comments:____________
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
Details:_____(to be noted)
6. Identifying ‘Personal data quality and accuracy’ risks
Question 1: What processes are in place for ensuring personal data quality, i.e., that the
information is relevant, reliable, accurate, actionable?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 2: Is there a policy or procedure in place to correct personal data that has already been
shared with partners, or to notify partners about updates?
Reply:___(YES)___(NO)
Details:_____(to be noted)
7. Identifying ‘Personal data security’ risks
Question 1: What types of personal data are to be collected?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 2: Could disclosure of these personal data put the person in danger, in terms of: racial,
religious or other discrimination (sexual orientation, political views, trade union membership,
etc.)?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 3: Is there a risk of information being stolen, lost, damaged, altered, rendered
unavailable, hacked, etc.?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 4: What personal data security measures and controls are in place?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 5: Does the processing of personal data involve external organisations or third parties?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 6: Does this increase the data security risk (data theft, data breach, surveillance,
disclosure, etc.), by the processor?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 7: Is personal data limited to others on a ‘need to know’ basis?
Reply:___(YES)___(NO)
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
Question 5: Is too much personal data being kept for auditing or other purposes?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 6: Could personal data being kept for auditing or other purposes be minimised?
Reply:___(YES)___(NO)
Details:_____(to be noted)
10. Identifying ‘Personal data accountability’ risks
Question 1: Are data protection policies, standards and procedures effectively implemented?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 2: Has the company appointed a Data Protection Officer?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 3: Has the company appointed a Data Controller?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 4: Are oversight mechanisms in place to overview existing data protection practices
and to provide guidance to the company?
Reply:___(YES)___(NO)
Details:_____(to be noted)
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
Annex 5. Proposed Risk Resolution Actions
1. ‘Purpose specification’ risks and resolution actions
Purpose specification risks
R #1: Risk of ‘function creep’;
R #2: Risk of ‘damage to the company’s reputation’; and
R #3: Risk of ‘loss of profits’.
Proposed risk mitigation measures and controls
RMMC #1: By specifying and documenting the purposes for which personal data will be
collected and used;
RMMC #2: By training company staff; and
RMMC #3: By inserting a reference in the data base files of all computerized applications to
ensure the purpose of personal data processing operations is always specified.
2. ‘Data limitation’ risks and resolution actions
R #1: Risk of ‘collecting more personal data’;
R #2: Risk of ‘damage to the company’s reputation’; and
R #3: Risk of ‘identity fraud or theft’.
Proposed risk mitigation measures and controls
RMMC #1: By ensuring that only the personal data which are necessary are collected to achieve
the purpose specified originally by the company;
RMMC #2: By giving people prior notice regarding the purposes of the data collection and
processing done;
RMMC #3: By giving individuals an opportunity to question the manner and purpose for which
their personal data are collected and processed; and
RMMC #4: By ensuring that security controls are implemented fully.
3. ‘Information and access rights’ risks and resolution actions
Information and access rights risks
R #1: Risk of ‘not providing clear and easily accessible information’; and
R #1: Risk of ‘refraining by individuals from sharing their personal data’.
Proposed risk mitigation measures and controls
The second step to resolution is to note what actions (measures and controls) can be proposed for
the future.
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
9. ‘Personal data retention’ risks and resolution actions
Personal data retention risks
R #1: Risk of ‘fines imposed by authorities due to undefined data retention’; and
R #2: Risk of ‘increased costs of data base maintenance’.
Proposed risk mitigation measures and controls
RMMC #1: By limiting the retention of personal data to what is necessary to fulfil specific,
explicit and legitimate purposes;
RMMC #2: By using the privacy-by-design approach and inserting a reference in the file to
ensure the data retention period is always specified; and
RMMC #3: By linking the data retention period to the purpose of the data processing operations.
10. ‘Personal data accountability’ risks and resolution actions
Personal data accountability risks
R #1: Risk of ‘fines imposed by authorities due to non-compliance with regulations’; and
R #2: Risk of ‘damages incurred by insider data breaches’.
Proposed risk mitigation measures and controls
RMMC #1: By implementing effective data protection policies, standards and procedures;
RMMC #2: By appointing a Data Protection Officer and a Data Controller; and
RMMC #3: By ensuring the full operation of oversight mechanisms (e.g. Corporate Compliance
Committee).
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
4. Data Type 4: Physical Personal Data (PD)
Field name #PD01: <Physical descriptor 1 (eye color) >
Field name #PD02: <Physical descriptor 2 (hair color) >
Field name #PD03: <Physical descriptor 3 (height) >
Field name #PD04: <Physical descriptor 4 (body marks) >
Field name #PD05: <Signature>
Field name #PD06: <Fingerprints>
Field name #PD07: <Handprints>
Field name #PD08: <Photo, scans (retinal, facial) >
Field name #PD10: <Voice>
Field name #PD11: <Physical movements (e.g., finger swipes, keystrokes) >
Field name #PD12: <DNA markers>
5. Data Type 5: Device-related Personal Data (DD)
Field name #DD01: <User names>
Field name #DD02: <Passwords>
Field name #DD03: <Unique device identifier>
Field name #DD04: <Location/GPS data>
Field name #DD05: <Camera controls (photo, video, videoconference)>
Field name #DD06: <Microphone controls>
Field name #DD07: <Other hardware/software controls>
Field name #DD08: <Photo data>
Field name #DD09: <Audio/sound data>
Field name #DD10: <Other device sensor controls>
Field name #DD11: <On/Off status and controls>
Field name #DD12: <Cell tower records (e.g., logs, user location, time, date) >
Field name #DD13: <Data collected by apps (itemize)>
Field name #DD14: <Contact lists and directories>
Field name #DD15: <Network communications data>
Field name #DD16: <Device settings (e.g., security, sharing, status, etc.) >
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
1
Flevy (www.flevy.com) is the marketplace
for premium documents. These
documents can range from Business
Frameworks to Financial Models to
PowerPoint Templates.
Flevy was founded under the principle that
companies waste a lot of time and money
recreating the same foundational business
documents. Our vision is for Flevy to
become a comprehensive knowledge base
of business documents. All organizations,
from startups to large enterprises, can use
Flevy— whether it's to jumpstart projects, to
find reference or comparison materials, or
just to learn.
Contact Us
Please contact us with any questions you may have
about our company.
• General Inquiries
support@flevy.com
• Media/PR
press@flevy.com
• Billing
billing@flevy.com

More Related Content

Viewers also liked

The Be-All, End-All List of Small Business Tax Deductions
The Be-All, End-All List of Small Business Tax DeductionsThe Be-All, End-All List of Small Business Tax Deductions
The Be-All, End-All List of Small Business Tax DeductionsWagepoint
 
10 Things You Didn’t Know About Mobile Email from Litmus & HubSpot
 10 Things You Didn’t Know About Mobile Email from Litmus & HubSpot 10 Things You Didn’t Know About Mobile Email from Litmus & HubSpot
10 Things You Didn’t Know About Mobile Email from Litmus & HubSpotHubSpot
 
How to Earn the Attention of Today's Buyer
How to Earn the Attention of Today's BuyerHow to Earn the Attention of Today's Buyer
How to Earn the Attention of Today's BuyerHubSpot
 
25 Discovery Call Questions
25 Discovery Call Questions25 Discovery Call Questions
25 Discovery Call QuestionsHubSpot
 
Modern Prospecting Techniques for Connecting with Prospects (from Sales Hacke...
Modern Prospecting Techniques for Connecting with Prospects (from Sales Hacke...Modern Prospecting Techniques for Connecting with Prospects (from Sales Hacke...
Modern Prospecting Techniques for Connecting with Prospects (from Sales Hacke...HubSpot
 
Class 1: Email Marketing Certification course: Email Marketing and Your Business
Class 1: Email Marketing Certification course: Email Marketing and Your BusinessClass 1: Email Marketing Certification course: Email Marketing and Your Business
Class 1: Email Marketing Certification course: Email Marketing and Your BusinessHubSpot
 
Behind the Scenes: Launching HubSpot Tokyo
Behind the Scenes: Launching HubSpot TokyoBehind the Scenes: Launching HubSpot Tokyo
Behind the Scenes: Launching HubSpot TokyoHubSpot
 
HubSpot Diversity Data 2016
HubSpot Diversity Data 2016HubSpot Diversity Data 2016
HubSpot Diversity Data 2016HubSpot
 

Viewers also liked (8)

The Be-All, End-All List of Small Business Tax Deductions
The Be-All, End-All List of Small Business Tax DeductionsThe Be-All, End-All List of Small Business Tax Deductions
The Be-All, End-All List of Small Business Tax Deductions
 
10 Things You Didn’t Know About Mobile Email from Litmus & HubSpot
 10 Things You Didn’t Know About Mobile Email from Litmus & HubSpot 10 Things You Didn’t Know About Mobile Email from Litmus & HubSpot
10 Things You Didn’t Know About Mobile Email from Litmus & HubSpot
 
How to Earn the Attention of Today's Buyer
How to Earn the Attention of Today's BuyerHow to Earn the Attention of Today's Buyer
How to Earn the Attention of Today's Buyer
 
25 Discovery Call Questions
25 Discovery Call Questions25 Discovery Call Questions
25 Discovery Call Questions
 
Modern Prospecting Techniques for Connecting with Prospects (from Sales Hacke...
Modern Prospecting Techniques for Connecting with Prospects (from Sales Hacke...Modern Prospecting Techniques for Connecting with Prospects (from Sales Hacke...
Modern Prospecting Techniques for Connecting with Prospects (from Sales Hacke...
 
Class 1: Email Marketing Certification course: Email Marketing and Your Business
Class 1: Email Marketing Certification course: Email Marketing and Your BusinessClass 1: Email Marketing Certification course: Email Marketing and Your Business
Class 1: Email Marketing Certification course: Email Marketing and Your Business
 
Behind the Scenes: Launching HubSpot Tokyo
Behind the Scenes: Launching HubSpot TokyoBehind the Scenes: Launching HubSpot Tokyo
Behind the Scenes: Launching HubSpot Tokyo
 
HubSpot Diversity Data 2016
HubSpot Diversity Data 2016HubSpot Diversity Data 2016
HubSpot Diversity Data 2016
 

More from Flevy.com Best Practices

100 Case Studies on Strategy & Transformation.pdf
100 Case Studies on Strategy & Transformation.pdf100 Case Studies on Strategy & Transformation.pdf
100 Case Studies on Strategy & Transformation.pdfFlevy.com Best Practices
 
[Whitepaper] Business Transformation Success Factors
[Whitepaper] Business Transformation Success Factors[Whitepaper] Business Transformation Success Factors
[Whitepaper] Business Transformation Success FactorsFlevy.com Best Practices
 
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
[Whitepaper] 5 Dimensions of Employee Engagement ScorecardFlevy.com Best Practices
 
[Whitepaper] Digital Transformation: Workforce Digitization
[Whitepaper] Digital Transformation: Workforce Digitization[Whitepaper] Digital Transformation: Workforce Digitization
[Whitepaper] Digital Transformation: Workforce DigitizationFlevy.com Best Practices
 
[Whitepaper] Strategic Human Resources: Evolution of Competition
[Whitepaper] Strategic Human Resources: Evolution of Competition[Whitepaper] Strategic Human Resources: Evolution of Competition
[Whitepaper] Strategic Human Resources: Evolution of CompetitionFlevy.com Best Practices
 
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...Flevy.com Best Practices
 
[Whitepaper] Strategy Classics: Value Disciplines Model
[Whitepaper] Strategy Classics: Value Disciplines Model[Whitepaper] Strategy Classics: Value Disciplines Model
[Whitepaper] Strategy Classics: Value Disciplines ModelFlevy.com Best Practices
 
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...Flevy.com Best Practices
 
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...Flevy.com Best Practices
 
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?Flevy.com Best Practices
 
[Whitepaper] Transportation Cost Reduction in Supply Chain Management
[Whitepaper] Transportation Cost Reduction in Supply Chain Management[Whitepaper] Transportation Cost Reduction in Supply Chain Management
[Whitepaper] Transportation Cost Reduction in Supply Chain ManagementFlevy.com Best Practices
 
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...Flevy.com Best Practices
 
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...Flevy.com Best Practices
 
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...Flevy.com Best Practices
 
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative BehaviorsFlevy.com Best Practices
 
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...Flevy.com Best Practices
 
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...Flevy.com Best Practices
 

More from Flevy.com Best Practices (20)

100 Case Studies on Strategy & Transformation.pdf
100 Case Studies on Strategy & Transformation.pdf100 Case Studies on Strategy & Transformation.pdf
100 Case Studies on Strategy & Transformation.pdf
 
Project Management for MBA (in French)
Project Management for MBA (in French)Project Management for MBA (in French)
Project Management for MBA (in French)
 
4 Stages of Disruption
4 Stages of Disruption4 Stages of Disruption
4 Stages of Disruption
 
Customer-centric Culture
Customer-centric CultureCustomer-centric Culture
Customer-centric Culture
 
[Whitepaper] Business Transformation Success Factors
[Whitepaper] Business Transformation Success Factors[Whitepaper] Business Transformation Success Factors
[Whitepaper] Business Transformation Success Factors
 
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
 
[Whitepaper] Digital Transformation: Workforce Digitization
[Whitepaper] Digital Transformation: Workforce Digitization[Whitepaper] Digital Transformation: Workforce Digitization
[Whitepaper] Digital Transformation: Workforce Digitization
 
[Whitepaper] Strategic Human Resources: Evolution of Competition
[Whitepaper] Strategic Human Resources: Evolution of Competition[Whitepaper] Strategic Human Resources: Evolution of Competition
[Whitepaper] Strategic Human Resources: Evolution of Competition
 
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
 
[Whitepaper] Strategy Classics: Value Disciplines Model
[Whitepaper] Strategy Classics: Value Disciplines Model[Whitepaper] Strategy Classics: Value Disciplines Model
[Whitepaper] Strategy Classics: Value Disciplines Model
 
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
 
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
 
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
 
[Whitepaper] Transportation Cost Reduction in Supply Chain Management
[Whitepaper] Transportation Cost Reduction in Supply Chain Management[Whitepaper] Transportation Cost Reduction in Supply Chain Management
[Whitepaper] Transportation Cost Reduction in Supply Chain Management
 
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
 
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
 
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
 
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
 
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
 
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
 

Recently uploaded

Developing Coaching Skills: Mine, Yours, Ours
Developing Coaching Skills: Mine, Yours, OursDeveloping Coaching Skills: Mine, Yours, Ours
Developing Coaching Skills: Mine, Yours, OursKaiNexus
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhangmcgroupjeya
 
To Create Your Own Wig Online To Create Your Own Wig Online
To Create Your Own Wig Online  To Create Your Own Wig OnlineTo Create Your Own Wig Online  To Create Your Own Wig Online
To Create Your Own Wig Online To Create Your Own Wig Onlinelng ths
 
Project Brief & Information Architecture Report
Project Brief & Information Architecture ReportProject Brief & Information Architecture Report
Project Brief & Information Architecture Reportamberjiles31
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.ukaroemirsr
 
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Lviv Startup Club
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...AustraliaChapterIIBA
 
Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..dlewis191
 
Mihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZMihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZKanakChauhan5
 
Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Winbusinessin
 
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHelene Heckrotte
 
NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023Steve Rader
 
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfAMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfJohnCarloValencia4
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access
 
Slicing Work on Business Agility Meetup Berlin
Slicing Work on Business Agility Meetup BerlinSlicing Work on Business Agility Meetup Berlin
Slicing Work on Business Agility Meetup BerlinAnton Skornyakov
 
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdfChicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdfSourav Sikder
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfAnhNguyen97152
 
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISINGUNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISINGlokeshwarmaha
 
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...Khaled Al Awadi
 

Recently uploaded (20)

Developing Coaching Skills: Mine, Yours, Ours
Developing Coaching Skills: Mine, Yours, OursDeveloping Coaching Skills: Mine, Yours, Ours
Developing Coaching Skills: Mine, Yours, Ours
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhang
 
To Create Your Own Wig Online To Create Your Own Wig Online
To Create Your Own Wig Online  To Create Your Own Wig OnlineTo Create Your Own Wig Online  To Create Your Own Wig Online
To Create Your Own Wig Online To Create Your Own Wig Online
 
Project Brief & Information Architecture Report
Project Brief & Information Architecture ReportProject Brief & Information Architecture Report
Project Brief & Information Architecture Report
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.uk
 
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
 
Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..
 
Mihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZMihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZ
 
Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024
 
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
 
NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023
 
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfAMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024
 
Slicing Work on Business Agility Meetup Berlin
Slicing Work on Business Agility Meetup BerlinSlicing Work on Business Agility Meetup Berlin
Slicing Work on Business Agility Meetup Berlin
 
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdfChicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
 
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISINGUNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
 
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
 

Data Protection Impact Assessment (EU GDPR Requirement)

  • 1. Data Protection Impact Assessment: (EU GDPR Requirement) JOHN KYRIAZOGLOU Flevy special publication First published in November 2016
  • 2. Annex 2: Data Protection Risk Identification Questionnaire This annex contains a set of 52 (52) questions that enable enterprise managers to identify whether the processing operations of their company can be perceived as potentially risky to the protection of personal data of the individuals. The purpose of this is to support you better in executing a DPIA for your company. Annex 3. Privacy Risk Register This annex contains a form that could be used to manage your privacy risks. The purpose of this is to support you better in executing a DPIA for your company. Annex 4. Suggested DPIA Report Format This annex contains a standard report format that could be used to report the progress on all privacy actions. The purpose of this is to support you better in executing a DPIA for your company. Annex 5. Proposed Risk Resolution Actions This annex contains a set of proposed resolution actions for the risks related to following data protection issues: Purpose specification; Data limitation; Information and access rights; Legal basis for personal data processing and transfer; Personal data rectification and deletion; Personal data quality and accuracy; Personal data security; Personal data sharing; Personal data retention; and Personal data accountability. The purpose of this is to support you better in executing a DPIA for your company. Annex 6: Personal Data Checklist This annex identifies some common types of personal data that are linked to individuals and which (data) may be collected, processed, maintained, shared or used by enterprises in the current socio-economic, business and digital environment. The purpose of this list is to be used as a baseline to ensure they you have identified all personal data that may be subject to applicable laws, regulations, and policies, so that you execute better your DPIA for your company.. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 3. Component 7: Data Protection Impact Assessment Organizational data protection risk management processes operate across the life cycles of all business processes and systems that collect, use, maintain, share, or dispose of personal data. Data protection must be designed into management systems by default. Privacy impact assessments (PIAs) – or what the GDPR calls data protection impact assessments (DPIAs) must be done for technologies and processes that are likely to result in a high risk to the rights of data subjects. Most companies/organizations should, as part of their privacy-by-design and default strategies, ensure that a DPIA is part of their risk assessment process in respect of personal data. According to Article 35 (Data protection impact assessment) of the GDPR: ‘4. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale. The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory authority shall communicate those lists to the Board referred to in Article 68. 5.The supervisory authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. The supervisory authority shall communicate those lists to the Board. 6.Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 where such lists involve processing activities which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the Union. 4.5.2016 L 119/53 Official Journal of the European Union EN 7.The assessment shall contain at least: (a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; (b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; (c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned. 8.Compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors shall be taken into due account in assessing the impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 4. Risks may be classified in different ways and it is critical that all types of risk are considered, from risks to physical and mental safety of individuals, risks of financial losses to individuals and companies, to mental risks of psychological distress caused to people due to one or more data protection inadequacies. Possible risks include: 1. The sharing and merging of data bases can allow companies to collect a much wider set of personal data than individuals might expect or want. 2. Ineffective data protection and disclosure controls by the companies increase the likelihood of personal data being shared in the wrong way. 3. Measures and controls taken against individuals as a result of collecting personal data about them might be seen as intrusive. 4. The context in which personal data are used or disclosed can change over time, leading to the case where the collected personal data used for different purposes without people’s knowledge. 5. New data collection mechanisms or surveillance methods may be an unjustified intrusion on the privacy of individuals. 6. Vulnerable people may be particularly concerned about the risks of identification or the disclosure of their personal data. 7. Personal data which are collected and stored unnecessarily, or are not properly managed so that duplicate records are created, present a much greater security risk. 8. If a retention period is not established, personal data might be used for longer periods than necessary. Companies may want to develop their own ways to identify privacy risks and should incorporate this with their own existing corporate risk system or system development or project management methodologies. You may also use the following Data Protection Impact Assessment Methodology or develop your own way to do this, based on a more general approach to managing risk. 2. Data Protection Impact Assessment Methodology This risk assessment methodology described in the following paragraphs evaluates risks related to the following ten (10) critical data protection issues of the EU Data Protection Regulation: Purpose specification; Data limitation; Information and access rights; Legal basis for personal data processing and transfer; Personal data rectification and deletion; Personal data quality and accuracy; Personal data security; Personal data sharing; Personal data retention; and Personal data accountability. These are detailed next. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 5. Step 2.5: ‘Legal basis for personal data processing and transfer’ risks R #1: Risk of ‘not obtaining consent from individuals’; and R #2: Risk of ‘fines imposed by authorities’. The first risk (‘not obtaining consent from individuals’) is derived when one or more individuals threaten to announce publicly that they did not give their consent to the company’s collection of their personal data. And the second risk (‘fines imposed by authorities’) is the result of an activist group that might discover instances where the company did not get the consent of the individuals, or an employee leaks memos showing that the company does not get informed consent. Step 2.6: ‘Personal data rectification and deletion’ risks R #1: Risk of ‘inability to amend data by individuals’; and R #2: Risk of ‘bad image of the company’. The first risk (‘inability to amend data by individuals’) is derived when some individuals may complain about how difficult it is to see and, if necessary, amend (or even delete) their personal data. And the second risk (‘bad image of the company’) is the result of the lack of specific and transparent procedures to provide data subjects access to their personal data which will cause bad publicity to the company especially if the complaints of the individuals reach the media or activist groups or organizations. Step 2.7: ‘Personal data quality and accuracy’ risks R #1: Risk of ‘defective quality of data’; and R #2: Risk of ‘unreliable decisions by the management of the company’. The first risk (‘defective quality of data’) is derived when the staff of your company may not have enough time, resources, or the culture to check the reliability and quality of the information (oral, written, or digital) they receive from the individuals. And the second risk (‘unreliable decisions by the management of the company’) is the result of poor quality information of the personal data collected which may lead to the risk of making inappropriate, incomplete or unreliable decisions that have a negative impact on both the individuals concerned as well as the company itself. Step 2.8: ‘Personal data security’ risks R #1: Risk of ‘ineffective security controls’; R #2: Risk of ‘data losses’; and R #3: Risk of ‘claims for compensation by individuals’. The first risk (‘ineffective security controls’) is the result of your security controls (physical, administrative, technical, etc.) not implemented fully and effectively. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 6. Step 3.6: Record ‘Personal data rectification and deletion’ risks (a) Review each of the risks related to ‘Personal data rectification and deletion’ (Risk of ‘inability to amend data by individuals’; and Risk of ‘bad image of the company’). (b) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These fields are: <Title of risk>; <Risk owner>; <Risk sequence number>; <Date>; <Priority: High, Medium, Low>; and <Risk description>. Step 3.7: Record ‘Personal data quality and accuracy’ risks (a) Review each of the risks related to ‘Personal data quality and accuracy’ (Risk of ‘defective quality of data’; and Risk of ‘unreliable decisions by the management of the company’). (b) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These fields are: <Title of risk>; <Risk owner>; <Risk sequence number>; <Date>; <Priority: High, Medium, Low>; and <Risk description>. Step 3.8: Record ‘Personal data security’ risks (a) Review each of the risks related to ‘Personal data security’ (Risk of ‘ineffective security controls’; Risk of ‘data losses’; and Risk of ‘claims for compensation by individuals’). (b) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These fields are: <Title of risk>; <Risk owner>; <Risk sequence number>; <Date>; <Priority: High, Medium, Low>; and <Risk description>. Step 3.9: Record ‘Personal data sharing’ risks (a) Review each of the risks related to ‘Personal data sharing’ (Risk of ‘inappropriate data sharing’; Risk of ‘criminal liability due to uncontrolled sharing’; and Risk of ‘claims for compensation by individuals’). (b) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These fields are: <Title of risk>; <Risk owner>; <Risk sequence number>; <Date>; <Priority: High, Medium, Low>; and <Risk description>. Step 3.10: Record ‘Personal data retention’ risks (a) Review each of the risks related to ‘Personal data retention’ (Risk of ‘fines imposed by authorities due to undefined data retention’; and Risk of ‘increased costs of data base maintenance’). (b) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These fields are: <Title of risk>; <Risk owner>; <Risk sequence number>; <Date>; <Priority: High, Medium, Low>; and <Risk description>. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 7. Step 4.8: Assess ‘Personal data security’ risks (a) Armed with the replies (see previous steps), conduct a compliance check against the EU Data Protection Act (see articles in the ‘reference’ section above) and other relevant legislation for each of the above-recorded risks; (b) Assess each of the identified ‘Personal data security’ risks (Risk of ‘ineffective security controls’; Risk of ‘data losses’; and Risk of ‘claims for compensation by individuals’) in terms of occurrence, impact and cost to the company; and (c) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These fields are: <Probability of occurrence>; <Impact>; and <Expected value of impact>: Step 4.9: Assess ‘Personal data sharing’ risks (a) Armed with the replies (see previous steps), conduct a compliance check against the EU Data Protection Act (see articles in the ‘reference’ section above) and other relevant legislation for each of the above-recorded risks; (b) Assess each of the identified ‘Personal data sharing’ risks (Risk of ‘inappropriate data sharing’; Risk of ‘criminal liability due to uncontrolled sharing’; and Risk of ‘claims for compensation by individuals’) in terms of occurrence, impact and cost to the company; and (c) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These fields are: <Probability of occurrence>; <Impact>; and <Expected value of impact>: Step 4.10: Assess ‘Personal data retention’ risks (a) Armed with the replies (see previous steps), conduct a compliance check against the EU Data Protection Act (see articles in the ‘reference’ section above) and other relevant legislation for each of the above-recorded risks; (b) Assess each of the identified ‘Personal data retention’ risks (Risk of ‘fines imposed by authorities due to undefined data retention’; and Risk of ‘increased costs of data base maintenance’) in terms of occurrence, impact and cost to the company; and (c) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These fields are: <Probability of occurrence>; <Impact>; and <Expected value of impact>: Step 4.11: Assess ‘Personal data accountability’ risks (a) Armed with the replies (see previous steps), conduct a compliance check against the EU Data Protection Act (see articles in the ‘reference’ section above) and other relevant legislation for each of the above-recorded risks; (b) Assess each of the identified ‘Personal data accountability’ risks (Risk of ‘fines imposed by authorities due to non-compliance with regulations’; and Risk of ‘damages incurred by insider data breaches’) in terms of occurrence, impact and cost to the company; and (c) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These fields are: <Probability of occurrence>; <Impact>; and <Expected value of impact>: This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 8. Chapter 3: Data Protection and Privacy Audit Tools Summary This chapter contains four (4) audit questionnaires (DP&P Audit Tools) with over 138 audit questions which are designed to review, assess and improve the data protection security and privacy aspects of all enterprise structured and unstructured data (financial, personal, production, sales, e-mail messages, etc.) processed and maintained by the IT function and information systems of the enterprise. Contents · DP&P Audit Tool #01: Data Sensitivity Protection Assessment · DP&P Audit Tool #02: Human Resource Cultural Controls Assessment · DP&P Audit Tool #03: Data Privacy Principles Compliance Assessment · DP&P Audit Tool #04: Data Privacy Corporate Issues Assessment These are described next. 1. DP&P Audit Tool #01: Data Sensitivity Protection Assessment 1.1. Overview: This audit questionnaire contains 15 questions and is designed to support the review and audit process of your company’s Data Sensitivity Protection and the specific issues (e.g., risk, security procedures, etc.) contained in it. 1.2. Detail Audit Questions Question 1: Does the risk assessment process of the company evaluate the risk involved of sensitive data files, application programs and/or operating systems accessed and/or amended without appropriate authority? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 2: Have sensitive data and applications been identified? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 3: Have appropriate security measures been implemented to restrict users’ access to sensitive data and programs? Consider: user ID and passwords; menu facilities; and management approval of menu options. Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 9. 2.2. Detail Audit Questions Question 1: Does the organization maintain up-to-date corporate human resources policies and procedures, an employee handbook, along with the relevant IT personnel files and their supporting documentation? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 2: Does the organization conduct reviews, or have an ongoing reporting system for awarding benefits and pay increases (to all personnel, including IT), to ensure that they are operated in a fair and equitable manner? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 3: Does the organization have a positive and supportive attitude towards integrity and ethics education and training, and does this include all personnel, including IT? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 4: Does the organization conduct periodic reviews on ethics issues for IT personnel, and have an ongoing system to report on outside activities, financial disclosure and other components of the ethics program? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 5: Have all IT employees received conflict of interest/ethics training? Does the organization conduct merit promotion case file reviews for IT personnel, and have an ongoing reporting system that is used to assure that these programs are operating in a fair and equitable manner? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 6: Does the organization ensure that there is equity of treatment and opportunity within the employee relations and training programs, and does this include IT personnel? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 7: Does the organization periodically review, or have an ongoing system to report, the time and attendance of IT employees? This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 10. Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 3: Have any ‘non-obvious’ uses of the data by the company been made clear to the data subject? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Principle 3: Data Relevancy. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Question 1: Is there a clear reason documented for processing each item of data by the company? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 2: Has the company verified that the same outcome or result could not be achieved, safely and effectively, with less data? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 3: Where data is collected on a form by the company, does it indicate to the data subject that data which is essential and that which is voluntary to give? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 4: Is the data that is being processed by the company adequate for the purpose? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 5: Is the data that is being processed by the company no more than is necessary? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 11. Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 3: If data are being kept for periods longer than the legal minimum is there a good reason for doing so and is this documented? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 4: Are files (paper, digital computerized) periodically cleaned out of irrelevant data by the company? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 5: Is there a clear justification for the length of time the data are retained by the company? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 6: Can it be confirmed that data held by the company are not being kept on a ‘just in case’ basis? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Principle 6: Fair Processing. Personal data shall be processed in accordance with the rights of data subjects under this Act. Question 1: Does the data subject know that their personal data are being processed by the company? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 2: Does the data subject know why their personal data are being processed by the company? This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 12. Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Principle 8: Transferring personal data overseas. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country of territory ensures and adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Question 1: Where applicable, has the consent of the data subject been obtained to transfer personal data to countries outside the European Economic Area which are not designated as ‘adequate’ by the appropriate state authority (Data Protection Authority, Information Commissioner, etc.)? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ 3.3. Evaluation Calculation for Data Privacy Principles Assessment Score Achieved (SA) = <Summary of above scores> Perfect Score (PS) = 440 (44 questions x10 points for each question) Final Evaluation Grade = (SA/PS) X 100% Date:___ Signature: __________Reviewer’s overall remarks:_________________________ 4. DP&P Audit Tool #04: Data Privacy Corporate Issues Assessment 4.1. Overview: This audit questionnaire contains 71 questions and is designed to support the review and audit process of your company’s Data Privacy Corporate aspects and the specific issues (e.g. Organization and Management controls, Corporate Staff Training and Awareness program, etc.) contained in them. 4.2. Detail Audit Questions Organization and Management Issues Question 1: Are the board and senior management members of the company/organization fully aware of: This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 13. Question 4: Does induction training for new company staff include awareness of their data protection responsibilities? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 5: Do company staff know where to seek advice from as regards data privacy and protection? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 6: Is information security addressed in all training sessions? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 7: Are all company staff aware that unauthorised access to information of any form (manual systems, computerized systems, etc.) is not allowed? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 8: Are all company staff leaving employment aware that any corporate (customer, employees, research, etc.) information remains subject to confidentiality? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 9: Is there a clause to this effect built into all company staff (all levels of the organization) employment contracts? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 10: Do all employee files maintained in the Human Resources Department include all documents related to training and data protection controls, such as: signed confidentiality statements by all company staff? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 14. Question 7: Are users required to sign the Computer Users Policy prior to having an account created? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 8: Is there a generic administrator account? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 9: Is there a record of the authorisation process and the privileges assigned? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 10: Does management conduct a review of access rights allocated at periodic intervals using a documented process? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 11: Are user access rights re-allocated when they move groups within the organisation? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ IT Security Issues: Removable devices/media Question 12: Are ports relayed to CD, DVD, and USB drives enabled? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 13: Are such drives capable of copying files? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 14: Under what circumstances is ‘personal data’ held on laptops? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 15. Reviewer’s comments:_________________________ Question 2: What security measures (E.g. encryption) are in place for this action (i.e. data transfer)? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 3: Are there any audit trails/logs in place for this action (i.e. data transfer)? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ IT Operations Monitoring Question 1: Are audit logs recording: user activities, including read access, exceptions, and information security events and produced and kept for an agreed period to assist future investigations and access control monitoring by company management and other stakeholders? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 2: Are patterns of abnormal usage identifiable from log recording by the company IT security staff? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 3: Has the company implemented procedures for monitoring use of information processing systems? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Question 4: Are the results of such monitoring activities reviewed regularly by the appropriate level of company management? Yes:___ No: ___ Score: 1(lowest) to 10 (highest) Reviewer’s comments:_________________________ Business and Data Records Retention Question 1: Is the company aware of any relevant legal requirements, or industry standards, for periods of record retention? This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 16. Annex 1: Data Protection Impact Pre-Assessment Survey Contents 1. Purpose 2. Survey Actions (SA) 2.1. SA #1: Identify population 2.2. SA #2: Define characteristics 2.3. SA #3: Describe categories of personal data 2.4. SA #4: Describe characteristics of your processing operations 2.5. SA #5: Describe monitoring activities 2.6. SA #6: Assess concerns of relevant entities 2.7. SA #7: Identify third parties 2.8. SA #8: Describe data collection mechanisms 2.9. SA #9: Describe purposes of legitimate processing 2.10. SA #10: Describe your territory These are detailed in the next paragraphs. 1. Purpose This pre-assessment survey includes a set of ten (10) actions. Its purpose is to enable enterprise managers to identify whether the processing operations of their company can be perceived as potentially risky to the protection of personal data of the individuals so that a full-fledged Data Protection Impact Assessment is executed later. 2. Survey Actions (SA) 2.1. SA #1: Identify population. Based on the information that you process about your company’s operations identify one or more individuals about whom you are processing personal data. 1. Examine if the personal data used can be associated to a particular customer or employee, either directly (e.g. by using names) or indirectly (e.g. by using license plates, social security number, addresses, telephone numbers or other information that you hold, etc.). 2. Examine existing systems or a new project if they involve the collection of new personal data about individuals or whether they compel individuals to provide personal data about themselves. Explanatory remarks: If you reply ‘YES’, then your activities constitute processing of personal data under the EU law. If you reply ‘NO’, then the data you process is not personal data under the EU law, and you do not need to do a full-fledged DPIA. Reply: YES__ or NO_____ Reviewer’s comments:____________ This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 17. 2.9. SA #9: Describe purposes of legitimate processing. Describe the purposes for the legitimate processing of personal data. Explanatory remarks: These purposes may include: Employment (recruitment and job applications, performance, management, planning and organization of work, health and safety at work, exercise and enjoyment of rights and benefits related to employment, etc.); Sales of products and services to customers; Health (preventive or occupational medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, etc.); Historical, scientific statistical or research; Enforcement of legal claims and/or compliance with law enforcement agencies; Exercise of the right to freedom of expression or information (including in the media and the arts), etc. Reply: YES____(provide details) or NO_____ Reviewer’s comments:____________ 2.10. SA #10: Describe your territory. Describe whether your activities take place in European territory. Explanatory remarks: If you are not established in European Union territory, but you offer goods or services to individuals in the EU or monitor them, then the EU data protection regulation applies to your company. Reply: YES____(provide details) or NO_____ Reviewer’s comments:____________ This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 18. Details:_____(to be noted) 6. Identifying ‘Personal data quality and accuracy’ risks Question 1: What processes are in place for ensuring personal data quality, i.e., that the information is relevant, reliable, accurate, actionable? Reply:___(YES)___(NO) Details:_____(to be noted) Question 2: Is there a policy or procedure in place to correct personal data that has already been shared with partners, or to notify partners about updates? Reply:___(YES)___(NO) Details:_____(to be noted) 7. Identifying ‘Personal data security’ risks Question 1: What types of personal data are to be collected? Reply:___(YES)___(NO) Details:_____(to be noted) Question 2: Could disclosure of these personal data put the person in danger, in terms of: racial, religious or other discrimination (sexual orientation, political views, trade union membership, etc.)? Reply:___(YES)___(NO) Details:_____(to be noted) Question 3: Is there a risk of information being stolen, lost, damaged, altered, rendered unavailable, hacked, etc.? Reply:___(YES)___(NO) Details:_____(to be noted) Question 4: What personal data security measures and controls are in place? Reply:___(YES)___(NO) Details:_____(to be noted) Question 5: Does the processing of personal data involve external organisations or third parties? Reply:___(YES)___(NO) Details:_____(to be noted) Question 6: Does this increase the data security risk (data theft, data breach, surveillance, disclosure, etc.), by the processor? Reply:___(YES)___(NO) Details:_____(to be noted) Question 7: Is personal data limited to others on a ‘need to know’ basis? Reply:___(YES)___(NO) This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 19. Question 5: Is too much personal data being kept for auditing or other purposes? Reply:___(YES)___(NO) Details:_____(to be noted) Question 6: Could personal data being kept for auditing or other purposes be minimised? Reply:___(YES)___(NO) Details:_____(to be noted) 10. Identifying ‘Personal data accountability’ risks Question 1: Are data protection policies, standards and procedures effectively implemented? Reply:___(YES)___(NO) Details:_____(to be noted) Question 2: Has the company appointed a Data Protection Officer? Reply:___(YES)___(NO) Details:_____(to be noted) Question 3: Has the company appointed a Data Controller? Reply:___(YES)___(NO) Details:_____(to be noted) Question 4: Are oversight mechanisms in place to overview existing data protection practices and to provide guidance to the company? Reply:___(YES)___(NO) Details:_____(to be noted) This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 20. Annex 5. Proposed Risk Resolution Actions 1. ‘Purpose specification’ risks and resolution actions Purpose specification risks R #1: Risk of ‘function creep’; R #2: Risk of ‘damage to the company’s reputation’; and R #3: Risk of ‘loss of profits’. Proposed risk mitigation measures and controls RMMC #1: By specifying and documenting the purposes for which personal data will be collected and used; RMMC #2: By training company staff; and RMMC #3: By inserting a reference in the data base files of all computerized applications to ensure the purpose of personal data processing operations is always specified. 2. ‘Data limitation’ risks and resolution actions R #1: Risk of ‘collecting more personal data’; R #2: Risk of ‘damage to the company’s reputation’; and R #3: Risk of ‘identity fraud or theft’. Proposed risk mitigation measures and controls RMMC #1: By ensuring that only the personal data which are necessary are collected to achieve the purpose specified originally by the company; RMMC #2: By giving people prior notice regarding the purposes of the data collection and processing done; RMMC #3: By giving individuals an opportunity to question the manner and purpose for which their personal data are collected and processed; and RMMC #4: By ensuring that security controls are implemented fully. 3. ‘Information and access rights’ risks and resolution actions Information and access rights risks R #1: Risk of ‘not providing clear and easily accessible information’; and R #1: Risk of ‘refraining by individuals from sharing their personal data’. Proposed risk mitigation measures and controls The second step to resolution is to note what actions (measures and controls) can be proposed for the future. This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 21. 9. ‘Personal data retention’ risks and resolution actions Personal data retention risks R #1: Risk of ‘fines imposed by authorities due to undefined data retention’; and R #2: Risk of ‘increased costs of data base maintenance’. Proposed risk mitigation measures and controls RMMC #1: By limiting the retention of personal data to what is necessary to fulfil specific, explicit and legitimate purposes; RMMC #2: By using the privacy-by-design approach and inserting a reference in the file to ensure the data retention period is always specified; and RMMC #3: By linking the data retention period to the purpose of the data processing operations. 10. ‘Personal data accountability’ risks and resolution actions Personal data accountability risks R #1: Risk of ‘fines imposed by authorities due to non-compliance with regulations’; and R #2: Risk of ‘damages incurred by insider data breaches’. Proposed risk mitigation measures and controls RMMC #1: By implementing effective data protection policies, standards and procedures; RMMC #2: By appointing a Data Protection Officer and a Data Controller; and RMMC #3: By ensuring the full operation of oversight mechanisms (e.g. Corporate Compliance Committee). This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 22. 4. Data Type 4: Physical Personal Data (PD) Field name #PD01: <Physical descriptor 1 (eye color) > Field name #PD02: <Physical descriptor 2 (hair color) > Field name #PD03: <Physical descriptor 3 (height) > Field name #PD04: <Physical descriptor 4 (body marks) > Field name #PD05: <Signature> Field name #PD06: <Fingerprints> Field name #PD07: <Handprints> Field name #PD08: <Photo, scans (retinal, facial) > Field name #PD10: <Voice> Field name #PD11: <Physical movements (e.g., finger swipes, keystrokes) > Field name #PD12: <DNA markers> 5. Data Type 5: Device-related Personal Data (DD) Field name #DD01: <User names> Field name #DD02: <Passwords> Field name #DD03: <Unique device identifier> Field name #DD04: <Location/GPS data> Field name #DD05: <Camera controls (photo, video, videoconference)> Field name #DD06: <Microphone controls> Field name #DD07: <Other hardware/software controls> Field name #DD08: <Photo data> Field name #DD09: <Audio/sound data> Field name #DD10: <Other device sensor controls> Field name #DD11: <On/Off status and controls> Field name #DD12: <Cell tower records (e.g., logs, user location, time, date) > Field name #DD13: <Data collected by apps (itemize)> Field name #DD14: <Contact lists and directories> Field name #DD15: <Network communications data> Field name #DD16: <Device settings (e.g., security, sharing, status, etc.) > This document is a partial preview. Full document download can be found on Flevy: http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
  • 23. 1 Flevy (www.flevy.com) is the marketplace for premium documents. These documents can range from Business Frameworks to Financial Models to PowerPoint Templates. Flevy was founded under the principle that companies waste a lot of time and money recreating the same foundational business documents. Our vision is for Flevy to become a comprehensive knowledge base of business documents. All organizations, from startups to large enterprises, can use Flevy— whether it's to jumpstart projects, to find reference or comparison materials, or just to learn. Contact Us Please contact us with any questions you may have about our company. • General Inquiries support@flevy.com • Media/PR press@flevy.com • Billing billing@flevy.com