In our last article we discussed why and what impact assessment is must and optional to evaluate the situation prior to the processing of personal data. We further understood that in cases of personal data mentioned under art. 9 and 10 of GDPR wherein data impact assessment shall in particular be required. In today’s article we will discuss the contain of data impact assessment; so article 35 mandates the following things at least must contain in the assessment and they are-
- A systematic description of the processing operations and the purposes of the processing, including applicability, the legitimate interest pursued by the controller;
- An assessment of the necessity and proportionality of the processing operations in relation to the purpose;
- An assessment of the risks to the rights and freedoms of data subjects;
- Measures to address the risk, safeguards, security measures and mechanism to ensure the protection of personal data and to demonstrate compliance with the regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
Approved Compliance Code–
Compliance with approved code of conduct as referred under article 40 of the GDPR by the relevant processor or controller shall be taken into due account while assessing the impact of the processing operations conducted by such controller or processor (in particular for the purpose of a data protection impact assessment. The controller must also seek the views of the data subjects or their representative on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.
Article 35 further states that the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.
Picture Credit- https://www.privacypolicies.com