To understand when it is necessary to carry out an impact assessment, follow the instructions in Art. 35 but also the list of the criteria proposed by the guidelines of the European guarantors and of the processing indicated by the recently published guarantor for the protection of personal data.
Given the generality of the references, the main element to consider in order to establish the need for an assessment, in addition to what is indicated at European and national level, is whether processing affects the rights and freedoms of individuals. In particular, by evaluating:
It is essential to think properly about these dynamics, always taking into account the risks to the rights and freedoms of individuals and not the IT risks.
The lists of European and national authorities are not exhaustive and leave room for discretion to companies and consultants to implement the principle of accountability.
To create a new DPIA simply go to DPIA menu, click the (+) button, choose the linked processing activities register to create a new DPIA register. Then go to the evaluations section to add a new evaluation. As specified in Art. 35 of the regulation, you can group similar processing activities, presenting high risks, and carry out a single evaluation.
The evaluation card is made of these sections:
Need: contains some questions through which evaluate the necessity and proportionality of the processing activity with respect to the purposes. (e.g. if these are legitimate, determined and explicit or the personal data processed are limited and adequate)
Rights: specify which rights are guaranteed to the data subject regarding the processing involved in the evaluation, such as the right of access, information or limitation.
Evaluation: contains the processing activity evaluation, if present. In this way it is always possible to see the level of risk detected without switching to other sections.
Risks: analyze and identify risks of data subjects, including all security measures implemented or to be implemented. Start by clicking the add risk button and after entering the description, specify the source, potential impact, likelihood and severity in a scale of values between 1 and 4.
Measures: for each risk, specify which security measures have been implemented, also adding the subjects, the timing of implementation and finally the value of risk reduction.
Data subject: gather the opinions of data subjects.
Revisions: specify the next revision date so that UTOPIA reminds you to review the evaluation. Remember that the European regulation recommends that you must do a review when the risk profile changes.
Conclusions: add the final conclusions and the opinion of the DPO (if present).
After completing the evaluation, export it with a click in Word (.docx) or CSV (.csv) format according to your needs.