Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

DPIA policy and procedures

You understand whether a DPIA is required, or where it would be good practice to complete one. There is a clear DPIA policy and procedure.

Ways to meet our expectations:

  • You have a DPIA policy which includes:
    • clear procedures to decide whether you conduct a DPIA;
    • what the DPIA should cover;
    • who will authorise it; and
    • how you will incorporate it into the overall planning.
  • You have a screening checklist to consider if you need a DPIA, including all the relevant considerations on the scope, type and manner of the proposed processing.
  • If the screening checklist indicates that you do not need a DPIA, you document this.
  • Your procedure includes the requirement to seek advice from the DPO and other internal staff as appropriate.
  • Your procedure includes consultation with controllers, data processors, individuals, their representatives and any other relevant stakeholders as appropriate.
  • Staff training includes the need to consider a DPIA at the early stages of any plan involving personal data and, where relevant, you train staff in how to carry out a DPIA.
  • You assign responsibility for completing DPIAs to a member of staff, who has enough authority over a project to effect change, eg a project lead or manager.

Can you answer yes to the following questions?

  • Are your policies and procedures easy to locate?
  • Are staff aware of the process?
  • Do they consider it effective?
  • Have they had adequate training?
  • Are DPIAs conducted by those with appropriate authority to effect change?