A data protection impact assessment DPIA is required any time that you make significant changes to process or systems, or there is a high-risk to the data subject, your are doing CCTV type monitoring or holding medical or special category data
WHAT IS IT
A data protection impact assessment DPIA is required any time that you make significant changes to process or systems, or there is a high-risk to the data subject, your are doing CCTV type monitoring or holding medical or special category data
WHAT IS THE PROCESS
Involve all the stakeholder and get consensus on the issues and necessary actions
Write-up the documentation and get feedback from DPO or nominated expert
Make sure that what-ever you do is formally agreed, perhaps in writing
EXAMPLE OF WHAT YOU MIGHT WRITE TO A SUPPLIER
Dear Supplier
Data Protection Impact Assessment
Under the Data Protection Jersey Law we are required to make sure we have done a Data Protection Impact Assessment in any of the following circumstances.
Article 16 of the Data Protection Jersey Law
(5) A data protection impact assessment is, in particular, required in the case of
(a) a systematic and extensive evaluation of personal aspects relating to natural persons that is based on automated processing, and on which decisions are based that produce legal effects concerning, or similarly significantly affecting, those persons
(b) the processing of special category data on a large scale or
(c) a systematic monitoring of a publicly accessible area on a large scale.
Data Sharing Agreement
We are also required to have a Data Sharing Agreement which makes clear the roles and responsibilities of the Data Controller [organisation name] and the Data Processor (your organisation). If you use any of the data for your own purposes (ie without explicit instruction from us) then you will be regarded as a Joint-Controller with all the responsibilities that entails.
Action Required
Since your system/product constitutes [add detail here] we need you to complete the attached Data Protection Impact Assessment. If you have access to any of the data (even for testing or support) we need you to complete the attached Data Sharing Agreement.
Please complete and return to us as soon as possible because without them we cannot commit to the project, indeed it would be a breach of Data Protection Jersey Law to do so.
Yours sincerely
TEMPLATE / EXAMPLE
| Name of controller | Add appropriate information here |
| Subject/title of DPO | Add appropriate information here |
| Name of controller contact /DPO (delete as appropriate) | Add appropriate information here |
STEP 1: IDENTIFY THE NEED FOR A DPIA
Explain broadly what project aims to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal. Summarise why you identified the need for a DPIA. | Add appropriate information here |
STEP 2: DESCRIBE THE PROCESSING
Describe the nature of the processing: how will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high risk are involved? | Add appropriate information here |
| Describe the scope of the processing: what is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover? | Add appropriate information here |
| Describe the context of the processing: what is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)? | Add appropriate information here |
| Describe the purposes of the processing: what do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing for you, and more broadly? | Add appropriate information here |
STEP 3: CONSULTATION PROCESS
Consider how to consult with relevant stakeholders: describe when and how you will seek individuals views or justify why its not appropriate to do so. Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts? | Add appropriate information here |
STEP 4: ASSESS NECESSITY AND PROPORTIONALITY
Describe compliance and proportionality measures, in particular: what is your lawful basis for processing? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep? How will you ensure data quality and data minimisation? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers? | Add appropriate information here |
STEP 5: IDENTIFY AND ASSESS RISKS
| IDENTIFY AND ASSESS RISKS | Likelihood of harm | Severity of harm | Overall risk |
| Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary. | Remote, possible or probable | Minimal, significant or severe | Low, medium or high |
| add your data here | pick from above | pick from above | pick from above |
| add your data here | pick from above | pick from above | pick from above |
| add your data here | pick from above | pick from above | pick from above |
| add your data here | pick from above | pick from above | pick from above |
| add your data here | pick from above | pick from above | pick from above |
| add your data here | pick from above | pick from above | pick from above |
| add your data here | pick from above | pick from above | pick from above |
STEP 6: IDENTIFY MEASURES TO REDUCE RISK
| IDENTIFY MEASURES TO REDUCE RISK | Effect on risk | Residual risk | Measure approved |
| Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5 Options to reduce or eliminate risk | Eliminated reduced accepted | Low medium high | Yes/no |
| add your data here | pick from above | pick from above | pick from above |
| add your data here | pick from above | pick from above | pick from above |
| add your data here | pick from above | pick from above | pick from above |
| add your data here | pick from above | pick from above | pick from above |
| add your data here | pick from above | pick from above | pick from above |
| add your data here | pick from above | pick from above | pick from above |
| add your data here | pick from above | pick from above | pick from above |
