DPIA - Privacy Desk

Data Protection Impact Assessment (DPIA) is used as a tool for minimizing risks relating to privacy and security of personal information during data processing activities. Typically, DPIAs are used to investigate, recognize, and mitigate potential risks to data before launching a new business endeavor or project. GDPR, under Article 35, puts emphasis on the relatively high risk to the rights and freedoms of individuals when new processes or new technology is being engaged for data processing for the first time.

These assessments take the shape of flexible processes aimed at systematically recognizing, analyzing and managing the risk potential of any data processing operation. While such assessments are necessary for compliance, they also effectively allows an organization or entity to assess the kinds and levels of risk posed by a proposed plan and whether it falls within acceptable limits of risk that can be further managed and minimized. This saves a company from potential security breaches that may expose them to fines and penalties.

Salient features of DPIA

The processors of data are required to include within the assessment detailed description of the proposed operation, its purpose, necessity and proportionality along with an assessment of the risks to the rights and freedoms of data subjects and mitigating measures. These assessments take the shape of flexible processes aimed at systematically recognizing, analyzing and managing the risk potential of any data processing operation.

The primary aim of DPIA is to:

assess the risks potentially involved in processing data
reduce the potential risks in processing data
make decisions over what is an acceptable level of risk weighed against the desired results.
allow organizations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.

Key Considerations

Need of DPIA (When is it required)

DPIA is required where data processing is likely to result in a high risk to data protection and privacy and the rights and freedoms of natural persons. This is particularly relevant when a new data processing technology is being introduced. Hence, data controllers embracing new technologies that are likely to infringe on the rights and freedoms of data subjects must, prior to any data processing, conduct a thorough assessment of the impact on data protection that such activity is likely to have. Alternatively, a DPIA may also be conducted to demonstrate compliance with the applicable data protection law. However, because of the many advantages associated with DPIAs, it is generally best practice to undertake a DPIA regardless of the circumstances

Who Conducts the DPIA

Project managers and other managers without specialist data protection knowledge should be able to use the screening checklist to help them focus on privacy issues.
An effective DPIA must include consultation with others who will each be able to identify different privacy risks and solutions.
Data Protection Officer available may assist conducting PIAs and in advising those signing off DPIAs on privacy matters.

The Assessment

DPIA should include:

A detailed description of the project as well as the purpose of the project
An assessment of the necessity of the data processing involved and on what scale
An assessment of all possible risks to data protection and consumer privacy
An explanation as to how those risks will be mitigated and how the project will adhere to GDPR policies

Steps for conducting DPIA

Identify the need for conducting a DPIA
Describe the processing activity
Consult stakeholders and concerned individuals if required
Assess necessity and proportionality
Identify and assess potential risks in the processing activity
Derive a mitigation plan
Signoff and record outcomes

While such assessments are necessary for compliance, they also effectively allows an organization or entity to assess the kinds and levels of risk posed by a proposed plan and whether it falls within acceptable limits of risk that can be further managed and minimized. This operations help to prevent potential security breaches that may subject the organization to fines and penalties.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.

Salient features of DPIA

Key Considerations

The Assessment

Get in touch with us

Cookie Consent