DPIAs always include the appropriate information and are comprehensively documented.
Ways to meet our expectations:
- Your organisation has a standard, well-structured DPIA template which is written in plain English.
- include the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
- DPIAs clearly set out the relationships and data flows between controllers, processors, data subjects and systems.
- DPIAs identify measures that eliminate, mitigate or reduce high risks.
- You have a documented process, with appropriate document controls, that you review periodically to ensure it remains up to date.
- You record your DPO’s advice and recommendations and the details of any other consultations.
- Appropriate people sign off DPIAs, such as a project lead or senior manager.
Can you answer yes to the following questions?
- Do staff use the DPIA template and find it easy to understand?
- Is the process effective?
- Is the DPO satisfied that their advice is taken into account?
- Are they satisfied with any consultation that has taken place and how that you reflect any feedback in the outcome?