Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

DPIA risk mitigation and review

You take appropriate and effective action to mitigate or manage any risks a DPIA identifies, and you have a DPIA review process.

Ways to meet our expectations:

  • You have a procedure to consult the ICO if you cannot mitigate residual high risks.
  • You integrate outcomes from DPIAs into relevant work plans, project action plans and risk registers.
  • You do not start high risk processing until mitigating measures are in place following the DPIA.
  • You have a procedure to communicate the outcomes of DPIAs to appropriate stakeholders, eg through a formal summarised report.
  • You consider actively publishing DPIAs where possible, removing sensitive details if necessary.
  • You agree and document a schedule for reviewing the DPIA regularly or when the nature, scope, context or purposes of the processing changes.

Can you answer yes to the following questions?

  • Do staff understand when to consult the ICO?
  • Do you effectively integrate outcomes from DPIAs into projects?
  • Are appropriate stakeholders aware of the outcomes of DPIAs?