A policy is a statement of management’s intent, and is usually supported by a more detailed procedure or protocol. It’s good practice to have a policy that covers your organisation’s approach to Data Protection Impact Assessments (DPIAs). The following is a suggestion towards compiling your own policy.
Data Protection Impact Assessment (DPIA) Policy
Introduction (some call this the Policy Statement)
Indicate, broadly, the volumes and kinds of personal data your organisation processes and how this relates to compliance with the GDPR. Indicate that, adherence to the policy will help identify when a DPIA is required. Indicate that the policy must be followed at the very early planning stages of new projects and run, together with the DPIA procedure, alongside the project plan.
Scope
To whom does the policy apply?
any department/service which is introducing a new or revised service or changes to a system, process or information asset which includes processing personal data.
project managers, contracts and procurement, research, IT services etc.
partners and contractors must also have a compliant policy, else they adopt yours
individuals (data subjects) who might be impacted by the changes
Definitions
Describe the elements that are relevant:
a DPIA; personal data; special category data; criminal data; processing; prior consultation; risk, profiling, automated decision making; systematic monitoring etc.
Duties and Responsibilities
Leadership – policy implementation and oversight
DPO and Data Protection Team – implementation, monitoring and review of the procedure
Staff – to be aware of and fulfil their responsibilities as appropriate
Does failure to adhere to the policy attract possible disciplinary action?
DPIA Procedure
Provide a high-level overview of your actual DPIA procedure/process.
Initiation, why you may not need to; why you do need to; lawful bases; processing; risk assessment and treatment; approval structure; engagement with the supervisory authority etc.
Associated documents
Such as your data protection policy, data sharing policy, risk management framework etc.
Policy review
When your policy was last reviewed and approved.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018