This builds on each stage of the process and includes the following steps:
- Describing the information you are processing, and how the processing works, and the purposes
- You must assess the ‘necessity’ for the processing and ‘proportionality’
- Next you will assess compliance with GDPR (do a gap analysis)
- Assessing risks to the data subject, from their perspective, not risks to the organisation. This could also extend to risks beyond data protection risks (e.g. to freedom of thought and movement)
- List:
- the measures you will take to address risk to the personal information
- What documentation will you be using; and
- How you will monitor and review the processing
Form of DPIA
There is no particular template that you are required to use. There are a number of templates available, please contact us if you’d like a copy of one of our templates.
Do you need to make the DPIA public?
There is no requirement in the Regulation although it may well demonstrate trust and accountability – particularly where members of the public could be impacted by the processing.
Consulting the supervisory authority
You must get in touch with the ICO whenever risks cannot be mitigated and remain high – such as where individuals may encounter significant or even irreversible consequences, or when it is obvious that a risk may occur.
What else do I need to know?
A failure to conduct a DPIA at all, or correctly, or to consult the ICO, where required, after having undertaken a DPIA, could all lead to penalties of up to 2% of worldwide turnover.