Data Protection Impact Assessment (DPIA) Services
Data controllers and processors, ie organizations that carry out personal data processing operations, must comply with the requirements of the General Data Protection Regulation (GDPR) in order to maintain the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data.
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out assessment of the impact of the envisaged processing operations on the protection of personal data (DPIA).
A DPIA is a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them. DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the GDPR. In other words, a DPIA is a process for building and demonstrating compliance. State Data Protection Inspectorate (SDPI) has approved the list of data processing operations subject to the requirement to perform an DPIA.
Under the GDPR, non-compliance with DPIA requirements can lead to fines imposed by the State Data Protection Inspectorate (SDPI). Failure to carry out a DPIA when the processing is subject to a DPIA, carrying out a DPIA in an incorrect way, or failing to consult the SDPI where required, can result in an administrative fine of up to 10 000 000 euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
- We gather evidence and information
- We assess data processing operations and data processing purposes
- We assess the lawfulness of the processing of personal data and the proportionality of the processing
- We assess the risks to the rights and freedoms of data subjects
- We propose measures to eliminate risks to data subjects
- We prepare motivated assessment conclusions
- Data processing operations and data processing purposes are described. The purpose of data processing operations, categories of data subjects, categories of data, data of special categories, source of data, approximate number and geographical coverage of data subjects, recipients of data, terms of data storage are described
- An assessment of the necessity and proportionality of the data processing operations in relation to the objectives has been carried out. The lawfulness of the processing of personal data and the proportionality of the processing are described
- An assessment of the risks to the rights and freedoms of data subjects has been carried out. The likelihood and seriousness of the threat to the data subject’s rights and freedoms has been established, taking into account the nature, scope, context and purposes of the processing. The risk has been assessed on the basis of an objective assessment of whether the processing operations involve a risk or a high risk (according to recital 76 of the GDPR)
- Measures are proposed to eliminate the risks to data subjects. Measures are proposed to address the risks to data subjects, including safeguards, security measures and mechanisms to ensure the protection of data subjects’ data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other data subjects
- The conclusions of the DPIA are presented. Generalized DPIA conclusions have been prepared
- The lawfulness of the processing of personal data has been established
- The risk to the rights and freedoms of data subjects has been eliminated
- Evidence of DPIA was collected
- Compliance with GDPR requirements is ensured