Article 35 of the GDPR provides for a mandatory DPIA when the processing activity is likely to result in a high risk to the rights and freedoms of natural persons. For instance, the processing on a large scale of special categories of data, a systematic monitoring of a publicly accessible area on a large scale, etc.
Furthermore, as provided by article 25 of the GDPR, the controller shall, both at the time of the determination oft he means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, and ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
It is therefore crucial, for the compliance with the GDPR to implement effective management of information and risks from the early stages of the conception of new projects, and throughout the entire lifecycle of personal data processing.
For processing activities that may pose a high risk to the rights and freedoms of individuals, the GDPR requires to carry out a Data Protection Impact Assessment (DPIA)
MGSI relies on its expertise in data protection and its experience in risk analysis to assist you in the execution of a DPIA and in particular:
- Determine if a DPIA is required and the methodology follow adapted to your organisation
- Conduct information gathering from business owners
- Describe processing operations and their purposes
- Assess the necessity and proportionality
- Assess the risks to the rights and freedoms of data subjects
- Identify measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data
- Draft a final report for internal approval.
Need to carry out a DPIA ?