Logo Inveo Academy
Login

DPIA

The GDPR requires the Data Controller to implement "appropriate measures" to GUARANTEE and be able to DEMONSTRATE compliance with the regulation.

DPIA is a process intended to:

  1. Describe the data processing
  2. Assess its necessity and proportionality
  3. Helping to manage risks to the rights and freedoms of individuals

In line with the risk-based approach, it is not mandatory to conduct a DPIA for every processing, but it is necessary to conduct it when a processing: "may present a high risk to the rights and freedoms of natural persons."

The obligation for data controllers to carry out a DPIA should be read in the context of their general obligations to adequately manage the risks presented by the processing of personal data.

A DPIA is also useful for assessing the impact of a technology product (hardware and software) when the same is used by separate owners; of course, the owner using said product remains subject to the obligation to carry out its own DPIA, in relation to the specific implementation.

  • When is a risk high?
  • What unit of measurement do we use to define "high risk"?

FIRST: Check the obligation of drafting in case the processing falls into the case studies in the case studies defined in Annex 1 to Order No. 467 of 11/10/2018 of the Privacy Guarantor "List of types of processing subject to the requirement of a data protection impact assessment pursuant to Article 35(4) of Regulation (EU) No. 2016/679."

SECOND: Make the assessment of risks related to the processing of personal data that may result from Unauthorized Disclosure/Access, Modification and Loss/Destruction. Having assessed the inherent risk (Ri) i.e. without the adoption of measures of appropriate to the risk and applying them I obtain the residual risk (Rr) which if higher than the acceptable risk (Ra) established by the organization, as a value known and tolerated by the company, and therefore High Risk that I cannot mitigate, triggers my DPIA obligation.

DPIA measures risks related to the rights and freedoms of stakeholders by always performing a risk assessment but defined by a Probability and Severity calculation defined by a matrix quite different from that of VR.

Schedule a consultation on DPIA

Fill out the form to receive more information

Please fill in the required fields
Please fill in the required fields
Please fill in the required fields
Please fill in the required fields

Other services