The GDPR has been in effect since 2018 and in the middle of the Risk and Compliance conversation even longer. It applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU. That ultimately means that almost every major corporation in the world needs a GDPR compliance strategy.
Article 35 of the GDPR covers Data Protection Impact Assessments. The DPIA is a recent requirement under the GDPR as part of the “protection by design” principle. According to the law:
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
As outlined in Article 35, the GDPR requires DPIAs to contain the following elements:
- A description of the planned processing operations and the purposes of the processing
- An assessment of the necessity of the processing operations in relation to the purposes
- An assessment of the risks to the rights and freedoms of data subject
If you are beginning a data processing activity that is likely to involve “a high risk” to other people’s personal information, completing a self assessment using the DPIA template in Whistic beforehand is a good idea. Also it’s an easy way to perform internal discovery and more importantly, comply with GDPR.
For more information on DPIA, click here.
See your full security picture with Whistic. Automate your program, assess vendors easily, and start using security to your advantage. Learn more.