Data Protection Impact Assessment (DPIA) of processing

We specialise in assessing the impact of processing on the protection of personal data.

We are one of the few companies that advise the largest entities in Poland in this area. A data protection impact assessment is carried out when it is highly likely that the type of processing could result in a high risk to the rights and freedoms of data subjects.

On 8 July 2019, the announcement of the President of the Office for the Protection of Personal Data of 17 June 2019 was published, containing a list of types of personal data processing operations that require an assessment of the impact of the processing on the protection of personal data. Such operations are, for example, a system for monitoring employees’ working hours and the flow of information in the tools they use (email, internet).

Personal Data Administrators, and as a result Data Protection Officers and IT System Administrators of systems used for the processing of personal data, are obliged to assess the effects of processing on the protection of personal data.

The same pattern of conduct as for the general risk assessment can be used for the data protection impact assessment, highlighting in the different stages (from context description to risk handling) those elements that have a material impact on the impact that a data breach may have on data subjects.

The purpose of the impact assessment is to estimate the risk, which we understand as hypothetical scenarios of high-risk events described by

  1. The type of personal data, e.g. customers’ personal data.
  2. Sources of risk.
  3. Vulnerabilities that can be exploited in resources supporting the processing of personal data.
  4. An event we fear will occur, such as a personal data leak.
  5. Impact on data subjects, e.g. discrimination, financial loss, social media defamation.

We use proven practices and methodologies we have developed.
The impact assessment process is most often carried out in the following steps:

t

Context

Defining and describing the environment for the processing of personal data. Indication of the purposes of the processing.

  1. Purposes of processing, description of the processing environment.
  2. Description of data processing.
  3. Purpose, information, type of rights to be secured.
  4. Description of personal data.
  5. List of supporting assets.
5

Security

Identify current and planned measures to ensure compliance and control privacy risks.

 

  1. A list of security measures for personal data in organizational, IT and physical aspects.
5

Risk

Privacy risk assessment to ensure adequacy and appropriate risk planning.

  1. Identify sources of risk. We answer the questions: who and why?
  2. Vulnerability indication.
  3. Description of risk events. We answer the questions: what and how? For unauthorized access to data, unwanted modification and disappearance of data.
  4. Threats indication.
  5. We determine the probability levels.
  6. We describe and estimate the effects on individuals.
R

Decision

Decide how to comply with privacy and risk rules.

  1. Risk evaluation.
  2. Indication of countermeasures: safeguards.
  3. Developing risk management plans.
  4. DPO’s opinion.
  5. Opinion of data subjects.
  6. Formal validation.
  7. If the risk is still not acceptable, consult the supervisory authority.