How to: perform a guided Data Protection Impact Assessment

There are two ways to perform a DPIA in RESPONSUM: ‘manual’ and ‘guided’. The manual approach will help you to centralize DPIA’s you have already documented. The guided approach will guide you through all the steps of a DPIA.

1. Go > Privacy Management > Data Protection by Design > Data Protection Impact Assessment
2. Click ‘Add new DPIA’.
3. Select ‘Guided’.

Set-up

1. Select the relevant Project from the list or create a new project by providing a ‘Project Name’ and ‘Project Description’ (this will trigger the creation of a new project item in the Projects sub-module).
2. Click ‘Next’.

Select Target of evaluation

1. Select the applicable ‘Project’ from the list.
2. Click ‘Next’.

Pre DPIA

1. To check if exceptions and potential obligations are applicable, select the applicable country from the list.
2. Check if one or more of the processing activities in scope resemble one of these whitelisted processing activities. Select the Whitelisted Processing Activity if applicable.
3. Check if one or more of the processing activities in scope resemble one of these blacklisted processing activities. Select the blacklisted Processing Activity if applicable.
4. Perform the DPIA check, by selecting ‘yes’ or ‘no’ in the list.
5. Provide a motivation in the description box.

Recommendation

1. RESPONSUM will provide you with a recommendation about whether or not a DPIA is necessary.
2. Final decision can be provided by the accountable and a justification can be filled in the ‘Justification’ field.

Risk Identification

1. Add a risk by clicking on the ‘Risk Dictionary’ and selecting the applicable risks or by adding a new risk to the dictionary.
2. Click on the ‘Risk type’ list to add a new type.
3. Click on the ‘Risk name Statement’ list to add a new statement.
4. Provide a description in the description field.
5. Click ‘Save’.

Risk Assessment

Impact for the data subject

1. Select a ‘Material’, ‘Physical’ or ‘Moral’ consequence(s), by ticking the box next to the consequence(s).
2. Click ‘Save’.
3. Click ‘Next’.

Probability that the risk will occur

1. Select for each consequence a probability score:
2. Unlikely: 0% – 20% to occur within the next year
3. Possible: 20% – 40% to occur within the next year
4. Likely: 40% – 60% to occur within the next year
5. Almost certain: 60% – 80% to occur within the next year)
6. Almost certain: 80% – 100% to occur within
7. Click ‘Next’.

Risk Calculation (Calculated)

1. You will receive a calculated risk level for each consequence.
2. Click ‘Next’.

Risk calculation manual alternations

1. Alter the risk level manually if justifiable.
2. Fill out the justification field for each alteration.
3. Click ‘Next’.

Risk handling action plan

Exceptions and potential obligations

1. Select the risk handling method from the ‘Risk handling’ list.
2. Provide an explanation and description of method choice.
3. Add the measure to accomplish the method, by clicking on ‘view or edit measure’. Create the measure by filling out the name, link the related IM System and deadline, by selecting a date in the box.
4. Click ‘save’.