Impact assessment

In this article we will talk about how to carry out an impact assessment with UTOPIA.
Data protection impact assestment

The normative references

To understand when it is necessary to carry out an impact assessment, follow the instructions in Art. 35 but also the list of the criteria proposed by the guidelines of the European guarantors and of the processing indicated by the recently published guarantor for the protection of personal data.

Given the generality of the references, the main element to consider in order to establish the need for an assessment, in addition to what is indicated at European and national level, is whether processing affects the rights and freedoms of individuals. In particular, by evaluating:

  • the use of new technologies, such as algorithms that work on large volumes of data, artificial intelligence, blockchain, radio frequencies or other, based on biometric data.
  • the nature of the processing including the context in which is carried out
  • the object of the processing and the purposes for which it is carried out

It is essential to think properly about these dynamics, always taking into account the risks to the rights and freedoms of individuals and not the IT risks.

The lists of European and national authorities are not exhaustive and leave room for discretion to companies and consultants to implement the principle of accountability.

How to create the evaluation with UTOPIA

To create a new DPIA simply go to DPIA menu, click the (+) button, choose the linked processing activities register to create a new DPIA register. Then go to the evaluations section to add a new evaluation. As specified in Art. 35 of the regulation, you can group similar processing activities, presenting high risks, and carry out a single evaluation.

The evaluation card is made of these sections:

Need: contains some questions through which evaluate the necessity and proportionality of the processing activity with respect to the purposes. (e.g. if these are legitimate, determined and explicit or the personal data processed are limited and adequate)

Rights: specify which rights are guaranteed to the data subject regarding the processing involved in the evaluation, such as the right of access, information or limitation.

Evaluation: contains the processing activity evaluation, if present. In this way it is always possible to see the level of risk detected without switching to other sections.

Risks: analyze and identify risks of data subjects, including all security measures implemented or to be implemented. Start by clicking the add risk button and after entering the description, specify the source, potential impact, likelihood and severity in a scale of values between 1 and 4.

Measures: for each risk, specify which security measures have been implemented, also adding the subjects, the timing of implementation and finally the value of risk reduction.

Data subject: gather the opinions of data subjects.

Revisions: specify the next revision date so that UTOPIA reminds you to review the evaluation. Remember that the European regulation recommends that you must do a review when the risk profile changes.

Conclusions: add the final conclusions and the opinion of the DPO (if present).

After completing the evaluation, export it with a click in Word (.docx) or CSV (.csv) format according to your needs.

Torna alla documentazione

Create your account for free

Crea il tuo account personale in meno di un minuto e scopri tutte le potenzialità di UTOPIA. Tutto incluso e senza alcuna limitazione, gratuitamente, per 14 giorni.

Already over 1000 customers
No credit card required
Try it for 14 days, with no limitations
By clicking the button the processing conditions are accepted
Iscrizione effettuata con successo!
Si è verificato un errore imprevisto durante l'iscrizione. Riprova...