Guidelines Data Protection Impact Assessment

By | Friday April 14th, 2017
On April 5, the “Article 29 Data Protection Working Party” has published the “Guidelines on Data Protection Impact Assessemnt (DPIA) in order to give a valid interpretation of art. 34 of the EU Regulation 2016/679.
The document consists of 19 pages (plus two attachments) very dense, having regard to the complexity of the matter.
From guidelines it shows that the DPIA activity is quite complex characterized by:
  • Risk management (can be valid to consider the use of ISO 31000) which is conducted on two levels:
    • information security,
    • assessment of the risk to the rights and freedoms of the people (a particular aspect of DPIA);
  • Repeat DPIA whenever possible risks are considered: the nature, the object, the context and purpose of the processing (to be repeated at least every three years);
  • The preparation of the Register of processing operations (as required by art. 30 of the EU Regulation 2016/679).

It also shows that, for all existing treatments, you will have to complete the DPIA before the entry into force of the Regulations, the worst since May 25, 2018 (it is not an easy thing, we should start to get busy): video surveillance is a treatment for which always should be implement DPIA activities.

You can find the guideline here.

Category: Impact, Risk and Measures

About Andrea Castello

Andrea Castello is a professional working in the Information Systems Domain. He is graduated in Management Engineering. Since 2006 he work as consultant, trainer and auditor with focus in Management System (ISO 9001, ISO/IEC 20000, ISO/IEC 27001), Risk Analysis & Management and Privacy. Lead Auditor ISO 9001, ISO/IEC 27001, ISO/IEC 20000-1, ISO 22301 Trainer qualified ISO/IEC 27001, ISO/IEC 20000, ISO 22301, ITIL Foundation.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.