Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

Data protection by design and by default

You take a data protection by design and by default approach to managing risks, and, as appropriate, you build DPIA requirements into policies and procedures.

Ways to meet our expectations:

  • You reference DPIA requirements in all risk, project and change management policies and procedures, with links to DPIA policies and procedures.
  • Your procedures state that, if required, a DPIA must begin at the project’s outset, before processing starts, and that the DPIA must run alongside the planning and development process.
  • You anticipate risks and privacy-invasive events before they occur, making sure that at the initial design phase of any system, product or process and throughout, you consider the:
    • intended processing activities;
    • risks that these may pose to the rights and freedoms of individuals; and
    • possible measures available to mitigate the risks.

Can you answer yes to the following questions?

  • Would staff working on personal data processing projects be able to explain how they manage the risks as part of the project?