This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/data-protection-impact-assessment-eu-gdpr-requirement-2543
BENEFITS OF DOCUMENT
1. Support you in executing Data Protection Impact Assessments to comply with the EU GDPR
DOCUMENT DESCRIPTION
This document describes a set of methods and tools that enable, facilitate and support you in assessing your data protection risks and executing a Data Protection Impact Assessment
(DPIA) for existing as well as for new products, services, systems, functions and information systems, that collect, process and maintain personal data.
It may also be used to evaluate the data protection and privacy risks of the personal data your company collects, processes and stores and to comply with the requirements of the EU General Data Protection Regulation (Articles 27, 28, 34, 35, 36, 39, 53, 57, 58, 64 and recitals 53 and 58) for any enterprises located within the EU or doing business in the EU, regardless of their home base and central location offices (headquarters).
2. Annex 2: Data Protection Risk Identification Questionnaire
This annex contains a set of 52 (52) questions that enable enterprise managers to identify
whether the processing operations of their company can be perceived as potentially risky to the
protection of personal data of the individuals.
The purpose of this is to support you better in executing a DPIA for your company.
Annex 3. Privacy Risk Register
This annex contains a form that could be used to manage your privacy risks.
The purpose of this is to support you better in executing a DPIA for your company.
Annex 4. Suggested DPIA Report Format
This annex contains a standard report format that could be used to report the progress on all
privacy actions.
The purpose of this is to support you better in executing a DPIA for your company.
Annex 5. Proposed Risk Resolution Actions
This annex contains a set of proposed resolution actions for the risks related to following data
protection issues: Purpose specification; Data limitation; Information and access rights; Legal
basis for personal data processing and transfer; Personal data rectification and deletion; Personal
data quality and accuracy; Personal data security; Personal data sharing; Personal data retention;
and Personal data accountability.
The purpose of this is to support you better in executing a DPIA for your company.
Annex 6: Personal Data Checklist
This annex identifies some common types of personal data that are linked to individuals and
which (data) may be collected, processed, maintained, shared or used by enterprises in the
current socio-economic, business and digital environment.
The purpose of this list is to be used as a baseline to ensure they you have identified all personal
data that may be subject to applicable laws, regulations, and policies, so that you execute better
your DPIA for your company..
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
3. Component 7: Data Protection Impact Assessment
Organizational data protection risk management processes operate across the life cycles of all
business processes and systems that collect, use, maintain, share, or dispose of personal data.
Data protection must be designed into management systems by default. Privacy impact
assessments (PIAs) – or what the GDPR calls data protection impact assessments (DPIAs) must
be done for technologies and processes that are likely to result in a high risk to the rights of data
subjects. Most companies/organizations should, as part of their privacy-by-design and default
strategies, ensure that a DPIA is part of their risk assessment process in respect of personal data.
According to Article 35 (Data protection impact assessment) of the GDPR:
‘4. A data protection impact assessment referred to in paragraph 1 shall in particular be required
in the case of:
(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is
based on automated processing, including profiling, and on which decisions are based that
produce legal effects concerning the natural person or similarly significantly affect the natural
person;
(b) processing on a large scale of special categories of data referred to in Article 9(1), or of
personal data relating to criminal convictions and offences referred to in Article 10; or
(c) a systematic monitoring of a publicly accessible area on a large scale.
The supervisory authority shall establish and make public a list of the kind of processing
operations which are subject to the requirement for a data protection impact assessment pursuant
to paragraph 1. The supervisory authority shall communicate those lists to the Board referred to
in Article 68.
5.The supervisory authority may also establish and make public a list of the kind of processing
operations for which no data protection impact assessment is required. The supervisory authority
shall communicate those lists to the Board. 6.Prior to the adoption of the lists referred to in
paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism
referred to in Article 63 where such lists involve processing activities which are related to the
offering of goods or services to data subjects or to the monitoring of their behaviour in several
Member States, or may substantially affect the free movement of personal data within the Union.
4.5.2016 L 119/53 Official Journal of the European Union EN
7.The assessment shall contain at least: (a) a systematic description of the envisaged processing
operations and the purposes of the processing, including, where applicable, the legitimate interest
pursued by the controller; (b) an assessment of the necessity and proportionality of the
processing operations in relation to the purposes; (c) an assessment of the risks to the rights and
freedoms of data subjects referred to in paragraph 1; and (d) the measures envisaged to address
the risks, including safeguards, security measures and mechanisms to ensure the protection of
personal data and to demonstrate compliance with this Regulation taking into account the rights
and legitimate interests of data subjects and other persons concerned.
8.Compliance with approved codes of conduct referred to in Article 40 by the relevant
controllers or processors shall be taken into due account in assessing the impact of the processing
operations performed by such controllers or processors, in particular for the purposes of a data
protection impact assessment.
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
4. Risks may be classified in different ways and it is critical that all types of risk are considered,
from risks to physical and mental safety of individuals, risks of financial losses to individuals
and companies, to mental risks of psychological distress caused to people due to one or more
data protection inadequacies.
Possible risks include:
1. The sharing and merging of data bases can allow companies to collect a much wider set of
personal data than individuals might expect or want.
2. Ineffective data protection and disclosure controls by the companies increase the likelihood of
personal data being shared in the wrong way.
3. Measures and controls taken against individuals as a result of collecting personal data about
them might be seen as intrusive.
4. The context in which personal data are used or disclosed can change over time, leading to the
case where the collected personal data used for different purposes without people’s knowledge.
5. New data collection mechanisms or surveillance methods may be an unjustified intrusion on
the privacy of individuals.
6. Vulnerable people may be particularly concerned about the risks of identification or the
disclosure of their personal data.
7. Personal data which are collected and stored unnecessarily, or are not properly managed so
that duplicate records are created, present a much greater security risk.
8. If a retention period is not established, personal data might be used for longer periods than
necessary.
Companies may want to develop their own ways to identify privacy risks and should incorporate
this with their own existing corporate risk system or system development or project management
methodologies.
You may also use the following Data Protection Impact Assessment Methodology or develop
your own way to do this, based on a more general approach to managing risk.
2. Data Protection Impact Assessment Methodology
This risk assessment methodology described in the following paragraphs evaluates risks related
to the following ten (10) critical data protection issues of the EU Data Protection Regulation:
Purpose specification; Data limitation; Information and access rights; Legal basis for personal
data processing and transfer; Personal data rectification and deletion; Personal data quality and
accuracy; Personal data security; Personal data sharing; Personal data retention; and Personal
data accountability.
These are detailed next.
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
5. Step 2.5: ‘Legal basis for personal data processing and transfer’ risks
R #1: Risk of ‘not obtaining consent from individuals’; and
R #2: Risk of ‘fines imposed by authorities’.
The first risk (‘not obtaining consent from individuals’) is derived when one or more individuals
threaten to announce publicly that they did not give their consent to the company’s collection of
their personal data. And the second risk (‘fines imposed by authorities’) is the result of an
activist group that might discover instances where the company did not get the consent of the
individuals, or an employee leaks memos showing that the company does not get informed
consent.
Step 2.6: ‘Personal data rectification and deletion’ risks
R #1: Risk of ‘inability to amend data by individuals’; and
R #2: Risk of ‘bad image of the company’.
The first risk (‘inability to amend data by individuals’) is derived when some individuals may
complain about how difficult it is to see and, if necessary, amend (or even delete) their personal
data. And the second risk (‘bad image of the company’) is the result of the lack of specific and
transparent procedures to provide data subjects access to their personal data which will cause bad
publicity to the company especially if the complaints of the individuals reach the media or
activist groups or organizations.
Step 2.7: ‘Personal data quality and accuracy’ risks
R #1: Risk of ‘defective quality of data’; and
R #2: Risk of ‘unreliable decisions by the management of the company’.
The first risk (‘defective quality of data’) is derived when the staff of your company may not
have enough time, resources, or the culture to check the reliability and quality of the information
(oral, written, or digital) they receive from the individuals. And the second risk (‘unreliable
decisions by the management of the company’) is the result of poor quality information of the
personal data collected which may lead to the risk of making inappropriate, incomplete or
unreliable decisions that have a negative impact on both the individuals concerned as well as the
company itself.
Step 2.8: ‘Personal data security’ risks
R #1: Risk of ‘ineffective security controls’;
R #2: Risk of ‘data losses’; and
R #3: Risk of ‘claims for compensation by individuals’.
The first risk (‘ineffective security controls’) is the result of your security controls (physical,
administrative, technical, etc.) not implemented fully and effectively.
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
6. Step 3.6: Record ‘Personal data rectification and deletion’ risks
(a) Review each of the risks related to ‘Personal data rectification and deletion’ (Risk of
‘inability to amend data by individuals’; and Risk of ‘bad image of the company’).
(b) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These
fields are: <Title of risk>; <Risk owner>; <Risk sequence number>; <Date>; <Priority: High,
Medium, Low>; and <Risk description>.
Step 3.7: Record ‘Personal data quality and accuracy’ risks
(a) Review each of the risks related to ‘Personal data quality and accuracy’ (Risk of ‘defective
quality of data’; and Risk of ‘unreliable decisions by the management of the company’).
(b) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These
fields are: <Title of risk>; <Risk owner>; <Risk sequence number>; <Date>; <Priority: High,
Medium, Low>; and <Risk description>.
Step 3.8: Record ‘Personal data security’ risks
(a) Review each of the risks related to ‘Personal data security’ (Risk of ‘ineffective security
controls’; Risk of ‘data losses’; and Risk of ‘claims for compensation by individuals’).
(b) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These
fields are: <Title of risk>; <Risk owner>; <Risk sequence number>; <Date>; <Priority: High,
Medium, Low>; and <Risk description>.
Step 3.9: Record ‘Personal data sharing’ risks
(a) Review each of the risks related to ‘Personal data sharing’ (Risk of ‘inappropriate data
sharing’; Risk of ‘criminal liability due to uncontrolled sharing’; and Risk of ‘claims for
compensation by individuals’).
(b) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These
fields are: <Title of risk>; <Risk owner>; <Risk sequence number>; <Date>; <Priority: High,
Medium, Low>; and <Risk description>.
Step 3.10: Record ‘Personal data retention’ risks
(a) Review each of the risks related to ‘Personal data retention’ (Risk of ‘fines imposed by
authorities due to undefined data retention’; and Risk of ‘increased costs of data base
maintenance’).
(b) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These
fields are: <Title of risk>; <Risk owner>; <Risk sequence number>; <Date>; <Priority: High,
Medium, Low>; and <Risk description>.
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
7. Step 4.8: Assess ‘Personal data security’ risks
(a) Armed with the replies (see previous steps), conduct a compliance check against the EU Data
Protection Act (see articles in the ‘reference’ section above) and other relevant legislation for
each of the above-recorded risks;
(b) Assess each of the identified ‘Personal data security’ risks (Risk of ‘ineffective security
controls’; Risk of ‘data losses’; and Risk of ‘claims for compensation by individuals’) in terms of
occurrence, impact and cost to the company; and
(c) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These fields
are: <Probability of occurrence>; <Impact>; and <Expected value of impact>:
Step 4.9: Assess ‘Personal data sharing’ risks
(a) Armed with the replies (see previous steps), conduct a compliance check against the EU Data
Protection Act (see articles in the ‘reference’ section above) and other relevant legislation for
each of the above-recorded risks;
(b) Assess each of the identified ‘Personal data sharing’ risks (Risk of ‘inappropriate data
sharing’; Risk of ‘criminal liability due to uncontrolled sharing’; and Risk of ‘claims for
compensation by individuals’) in terms of occurrence, impact and cost to the company; and
(c) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These fields
are: <Probability of occurrence>; <Impact>; and <Expected value of impact>:
Step 4.10: Assess ‘Personal data retention’ risks
(a) Armed with the replies (see previous steps), conduct a compliance check against the EU Data
Protection Act (see articles in the ‘reference’ section above) and other relevant legislation for
each of the above-recorded risks;
(b) Assess each of the identified ‘Personal data retention’ risks (Risk of ‘fines imposed by
authorities due to undefined data retention’; and Risk of ‘increased costs of data base
maintenance’) in terms of occurrence, impact and cost to the company; and
(c) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These fields
are: <Probability of occurrence>; <Impact>; and <Expected value of impact>:
Step 4.11: Assess ‘Personal data accountability’ risks
(a) Armed with the replies (see previous steps), conduct a compliance check against the EU Data
Protection Act (see articles in the ‘reference’ section above) and other relevant legislation for
each of the above-recorded risks;
(b) Assess each of the identified ‘Personal data accountability’ risks (Risk of ‘fines imposed by
authorities due to non-compliance with regulations’; and Risk of ‘damages incurred by insider
data breaches’) in terms of occurrence, impact and cost to the company; and
(c) Fill in the relevant data fields for each of these risks in the Privacy Risk Register. These fields
are: <Probability of occurrence>; <Impact>; and <Expected value of impact>:
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
8. Chapter 3: Data Protection and Privacy Audit Tools
Summary
This chapter contains four (4) audit questionnaires (DP&P Audit Tools) with over 138 audit
questions which are designed to review, assess and improve the data protection security and
privacy aspects of all enterprise structured and unstructured data (financial, personal, production,
sales, e-mail messages, etc.) processed and maintained by the IT function and information
systems of the enterprise.
Contents
· DP&P Audit Tool #01: Data Sensitivity Protection Assessment
· DP&P Audit Tool #02: Human Resource Cultural Controls Assessment
· DP&P Audit Tool #03: Data Privacy Principles Compliance Assessment
· DP&P Audit Tool #04: Data Privacy Corporate Issues Assessment
These are described next.
1. DP&P Audit Tool #01: Data Sensitivity Protection Assessment
1.1. Overview: This audit questionnaire contains 15 questions and is designed to support the
review and audit process of your company’s Data Sensitivity Protection and the specific issues
(e.g., risk, security procedures, etc.) contained in it.
1.2. Detail Audit Questions
Question 1: Does the risk assessment process of the company evaluate the risk involved of
sensitive data files, application programs and/or operating systems accessed and/or amended
without appropriate authority?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 2: Have sensitive data and applications been identified?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 3: Have appropriate security measures been implemented to restrict users’ access to
sensitive data and programs?
Consider: user ID and passwords; menu facilities; and management approval of menu options.
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
9. 2.2. Detail Audit Questions
Question 1: Does the organization maintain up-to-date corporate human resources policies and
procedures, an employee handbook, along with the relevant IT personnel files and their
supporting documentation?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 2: Does the organization conduct reviews, or have an ongoing reporting system for
awarding benefits and pay increases (to all personnel, including IT), to ensure that they are
operated in a fair and equitable manner?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 3: Does the organization have a positive and supportive attitude towards integrity and
ethics education and training, and does this include all personnel, including IT?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 4: Does the organization conduct periodic reviews on ethics issues for IT personnel,
and have an ongoing system to report on outside activities, financial disclosure and other
components of the ethics program?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 5: Have all IT employees received conflict of interest/ethics training?
Does the organization conduct merit promotion case file reviews for IT personnel, and have an
ongoing reporting system that is used to assure that these programs are operating in a fair and
equitable manner?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 6: Does the organization ensure that there is equity of treatment and opportunity within
the employee relations and training programs, and does this include IT personnel?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 7: Does the organization periodically review, or have an ongoing system to report, the
time and attendance of IT employees?
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
10. Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 3: Have any ‘non-obvious’ uses of the data by the company been made clear to the data
subject?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Principle 3: Data Relevancy. Personal data shall be adequate, relevant and not excessive in
relation to the purpose or purposes for which they are processed.
Question 1: Is there a clear reason documented for processing each item of data by the company?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 2: Has the company verified that the same outcome or result could not be achieved,
safely and effectively, with less data?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 3: Where data is collected on a form by the company, does it indicate to the data
subject that data which is essential and that which is voluntary to give?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 4: Is the data that is being processed by the company adequate for the purpose?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 5: Is the data that is being processed by the company no more than is necessary?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
11. Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 3: If data are being kept for periods longer than the legal minimum is there a good
reason for doing so and is this documented?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 4: Are files (paper, digital computerized) periodically cleaned out of irrelevant data by
the company?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 5: Is there a clear justification for the length of time the data are retained by the
company?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 6: Can it be confirmed that data held by the company are not being kept on a ‘just in
case’ basis?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Principle 6: Fair Processing. Personal data shall be processed in accordance with the rights of
data subjects under this Act.
Question 1: Does the data subject know that their personal data are being processed by the
company?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 2: Does the data subject know why their personal data are being processed by the
company?
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
12. Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Principle 8: Transferring personal data overseas. Personal data shall not be transferred to a
country or territory outside the European Economic Area unless that country of territory ensures
and adequate level of protection for the rights and freedoms of data subjects in relation to the
processing of personal data.
Question 1: Where applicable, has the consent of the data subject been obtained to transfer
personal data to countries outside the European Economic Area which are not designated as
‘adequate’ by the appropriate state authority (Data Protection Authority, Information
Commissioner, etc.)?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
3.3. Evaluation Calculation for Data Privacy Principles Assessment
Score Achieved (SA) = <Summary of above scores>
Perfect Score (PS) = 440 (44 questions x10 points for each question)
Final Evaluation Grade = (SA/PS) X 100%
Date:___ Signature: __________Reviewer’s overall remarks:_________________________
4. DP&P Audit Tool #04: Data Privacy Corporate Issues Assessment
4.1. Overview: This audit questionnaire contains 71 questions and is designed to support the
review and audit process of your company’s Data Privacy Corporate aspects and the specific
issues (e.g. Organization and Management controls, Corporate Staff Training and Awareness
program, etc.) contained in them.
4.2. Detail Audit Questions
Organization and Management Issues
Question 1: Are the board and senior management members of the company/organization fully
aware of:
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
13. Question 4: Does induction training for new company staff include awareness of their data
protection responsibilities?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 5: Do company staff know where to seek advice from as regards data privacy and
protection?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 6: Is information security addressed in all training sessions?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 7: Are all company staff aware that unauthorised access to information of any form
(manual systems, computerized systems, etc.) is not allowed?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 8: Are all company staff leaving employment aware that any corporate (customer,
employees, research, etc.) information remains subject to confidentiality?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 9: Is there a clause to this effect built into all company staff (all levels of the
organization) employment contracts?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 10: Do all employee files maintained in the Human Resources Department include all
documents related to training and data protection controls, such as: signed confidentiality
statements by all company staff?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
14. Question 7: Are users required to sign the Computer Users Policy prior to having an account
created?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 8: Is there a generic administrator account?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 9: Is there a record of the authorisation process and the privileges assigned?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 10: Does management conduct a review of access rights allocated at periodic intervals
using a documented process?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 11: Are user access rights re-allocated when they move groups within the organisation?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
IT Security Issues: Removable devices/media
Question 12: Are ports relayed to CD, DVD, and USB drives enabled?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 13: Are such drives capable of copying files?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 14: Under what circumstances is ‘personal data’ held on laptops?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
15. Reviewer’s comments:_________________________
Question 2: What security measures (E.g. encryption) are in place for this action (i.e. data
transfer)?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 3: Are there any audit trails/logs in place for this action (i.e. data transfer)?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
IT Operations Monitoring
Question 1: Are audit logs recording: user activities, including read access, exceptions, and
information security events and produced and kept for an agreed period to assist future
investigations and access control monitoring by company management and other stakeholders?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 2: Are patterns of abnormal usage identifiable from log recording by the company IT
security staff?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 3: Has the company implemented procedures for monitoring use of information
processing systems?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Question 4: Are the results of such monitoring activities reviewed regularly by the appropriate
level of company management?
Yes:___ No: ___ Score: 1(lowest) to 10 (highest)
Reviewer’s comments:_________________________
Business and Data Records Retention
Question 1: Is the company aware of any relevant legal requirements, or industry standards, for
periods of record retention?
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
16. Annex 1: Data Protection Impact Pre-Assessment Survey
Contents
1. Purpose
2. Survey Actions (SA)
2.1. SA #1: Identify population
2.2. SA #2: Define characteristics
2.3. SA #3: Describe categories of personal data
2.4. SA #4: Describe characteristics of your processing operations
2.5. SA #5: Describe monitoring activities
2.6. SA #6: Assess concerns of relevant entities
2.7. SA #7: Identify third parties
2.8. SA #8: Describe data collection mechanisms
2.9. SA #9: Describe purposes of legitimate processing
2.10. SA #10: Describe your territory
These are detailed in the next paragraphs.
1. Purpose
This pre-assessment survey includes a set of ten (10) actions. Its purpose is to enable enterprise
managers to identify whether the processing operations of their company can be perceived as
potentially risky to the protection of personal data of the individuals so that a full-fledged Data
Protection Impact Assessment is executed later.
2. Survey Actions (SA)
2.1. SA #1: Identify population. Based on the information that you process about your
company’s operations identify one or more individuals about whom you are processing personal
data.
1. Examine if the personal data used can be associated to a particular customer or employee,
either directly (e.g. by using names) or indirectly (e.g. by using license plates, social security
number, addresses, telephone numbers or other information that you hold, etc.).
2. Examine existing systems or a new project if they involve the collection of new personal data
about individuals or whether they compel individuals to provide personal data about themselves.
Explanatory remarks: If you reply ‘YES’, then your activities constitute processing of personal
data under the EU law. If you reply ‘NO’, then the data you process is not personal data under
the EU law, and you do not need to do a full-fledged DPIA.
Reply: YES__ or NO_____
Reviewer’s comments:____________
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
17. 2.9. SA #9: Describe purposes of legitimate processing. Describe the purposes for the
legitimate processing of personal data.
Explanatory remarks: These purposes may include: Employment (recruitment and job
applications, performance, management, planning and organization of work, health and safety at
work, exercise and enjoyment of rights and benefits related to employment, etc.); Sales of
products and services to customers; Health (preventive or occupational medicine, medical
diagnosis, the provision of care or treatment or the management of health-care services, etc.);
Historical, scientific statistical or research; Enforcement of legal claims and/or compliance with
law enforcement agencies; Exercise of the right to freedom of expression or information
(including in the media and the arts), etc.
Reply: YES____(provide details) or NO_____
Reviewer’s comments:____________
2.10. SA #10: Describe your territory. Describe whether your activities take place in European
territory.
Explanatory remarks: If you are not established in European Union territory, but you offer goods
or services to individuals in the EU or monitor them, then the EU data protection regulation
applies to your company.
Reply: YES____(provide details) or NO_____
Reviewer’s comments:____________
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
18. Details:_____(to be noted)
6. Identifying ‘Personal data quality and accuracy’ risks
Question 1: What processes are in place for ensuring personal data quality, i.e., that the
information is relevant, reliable, accurate, actionable?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 2: Is there a policy or procedure in place to correct personal data that has already been
shared with partners, or to notify partners about updates?
Reply:___(YES)___(NO)
Details:_____(to be noted)
7. Identifying ‘Personal data security’ risks
Question 1: What types of personal data are to be collected?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 2: Could disclosure of these personal data put the person in danger, in terms of: racial,
religious or other discrimination (sexual orientation, political views, trade union membership,
etc.)?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 3: Is there a risk of information being stolen, lost, damaged, altered, rendered
unavailable, hacked, etc.?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 4: What personal data security measures and controls are in place?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 5: Does the processing of personal data involve external organisations or third parties?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 6: Does this increase the data security risk (data theft, data breach, surveillance,
disclosure, etc.), by the processor?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 7: Is personal data limited to others on a ‘need to know’ basis?
Reply:___(YES)___(NO)
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
19. Question 5: Is too much personal data being kept for auditing or other purposes?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 6: Could personal data being kept for auditing or other purposes be minimised?
Reply:___(YES)___(NO)
Details:_____(to be noted)
10. Identifying ‘Personal data accountability’ risks
Question 1: Are data protection policies, standards and procedures effectively implemented?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 2: Has the company appointed a Data Protection Officer?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 3: Has the company appointed a Data Controller?
Reply:___(YES)___(NO)
Details:_____(to be noted)
Question 4: Are oversight mechanisms in place to overview existing data protection practices
and to provide guidance to the company?
Reply:___(YES)___(NO)
Details:_____(to be noted)
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
20. Annex 5. Proposed Risk Resolution Actions
1. ‘Purpose specification’ risks and resolution actions
Purpose specification risks
R #1: Risk of ‘function creep’;
R #2: Risk of ‘damage to the company’s reputation’; and
R #3: Risk of ‘loss of profits’.
Proposed risk mitigation measures and controls
RMMC #1: By specifying and documenting the purposes for which personal data will be
collected and used;
RMMC #2: By training company staff; and
RMMC #3: By inserting a reference in the data base files of all computerized applications to
ensure the purpose of personal data processing operations is always specified.
2. ‘Data limitation’ risks and resolution actions
R #1: Risk of ‘collecting more personal data’;
R #2: Risk of ‘damage to the company’s reputation’; and
R #3: Risk of ‘identity fraud or theft’.
Proposed risk mitigation measures and controls
RMMC #1: By ensuring that only the personal data which are necessary are collected to achieve
the purpose specified originally by the company;
RMMC #2: By giving people prior notice regarding the purposes of the data collection and
processing done;
RMMC #3: By giving individuals an opportunity to question the manner and purpose for which
their personal data are collected and processed; and
RMMC #4: By ensuring that security controls are implemented fully.
3. ‘Information and access rights’ risks and resolution actions
Information and access rights risks
R #1: Risk of ‘not providing clear and easily accessible information’; and
R #1: Risk of ‘refraining by individuals from sharing their personal data’.
Proposed risk mitigation measures and controls
The second step to resolution is to note what actions (measures and controls) can be proposed for
the future.
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
21. 9. ‘Personal data retention’ risks and resolution actions
Personal data retention risks
R #1: Risk of ‘fines imposed by authorities due to undefined data retention’; and
R #2: Risk of ‘increased costs of data base maintenance’.
Proposed risk mitigation measures and controls
RMMC #1: By limiting the retention of personal data to what is necessary to fulfil specific,
explicit and legitimate purposes;
RMMC #2: By using the privacy-by-design approach and inserting a reference in the file to
ensure the data retention period is always specified; and
RMMC #3: By linking the data retention period to the purpose of the data processing operations.
10. ‘Personal data accountability’ risks and resolution actions
Personal data accountability risks
R #1: Risk of ‘fines imposed by authorities due to non-compliance with regulations’; and
R #2: Risk of ‘damages incurred by insider data breaches’.
Proposed risk mitigation measures and controls
RMMC #1: By implementing effective data protection policies, standards and procedures;
RMMC #2: By appointing a Data Protection Officer and a Data Controller; and
RMMC #3: By ensuring the full operation of oversight mechanisms (e.g. Corporate Compliance
Committee).
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
22. 4. Data Type 4: Physical Personal Data (PD)
Field name #PD01: <Physical descriptor 1 (eye color) >
Field name #PD02: <Physical descriptor 2 (hair color) >
Field name #PD03: <Physical descriptor 3 (height) >
Field name #PD04: <Physical descriptor 4 (body marks) >
Field name #PD05: <Signature>
Field name #PD06: <Fingerprints>
Field name #PD07: <Handprints>
Field name #PD08: <Photo, scans (retinal, facial) >
Field name #PD10: <Voice>
Field name #PD11: <Physical movements (e.g., finger swipes, keystrokes) >
Field name #PD12: <DNA markers>
5. Data Type 5: Device-related Personal Data (DD)
Field name #DD01: <User names>
Field name #DD02: <Passwords>
Field name #DD03: <Unique device identifier>
Field name #DD04: <Location/GPS data>
Field name #DD05: <Camera controls (photo, video, videoconference)>
Field name #DD06: <Microphone controls>
Field name #DD07: <Other hardware/software controls>
Field name #DD08: <Photo data>
Field name #DD09: <Audio/sound data>
Field name #DD10: <Other device sensor controls>
Field name #DD11: <On/Off status and controls>
Field name #DD12: <Cell tower records (e.g., logs, user location, time, date) >
Field name #DD13: <Data collected by apps (itemize)>
Field name #DD14: <Contact lists and directories>
Field name #DD15: <Network communications data>
Field name #DD16: <Device settings (e.g., security, sharing, status, etc.) >
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/data-protection-impact-assessment-eu-gdpr-requirement-2543
23. 1
Flevy (www.flevy.com) is the marketplace
for premium documents. These
documents can range from Business
Frameworks to Financial Models to
PowerPoint Templates.
Flevy was founded under the principle that
companies waste a lot of time and money
recreating the same foundational business
documents. Our vision is for Flevy to
become a comprehensive knowledge base
of business documents. All organizations,
from startups to large enterprises, can use
Flevy— whether it's to jumpstart projects, to
find reference or comparison materials, or
just to learn.
Contact Us
Please contact us with any questions you may have
about our company.
• General Inquiries
support@flevy.com
• Media/PR
press@flevy.com
• Billing
billing@flevy.com