You take a data protection by design and by default approach to managing risks, and, as appropriate, you build DPIA requirements into policies and procedures.
Ways to meet our expectations:
- You reference DPIA requirements in all risk, project and change management policies and procedures, with links to DPIA policies and procedures.
- Your procedures state that, if required, a DPIA must begin at the project’s outset, before processing starts, and that the DPIA must run alongside the planning and development process.
- You anticipate risks and privacy-invasive events before they occur, making sure that at the initial design phase of any system, product or process and throughout, you consider the:
- intended processing activities;
- risks that these may pose to the rights and freedoms of individuals; and
- possible measures available to mitigate the risks.
Can you answer yes to the following questions?
- Would staff working on personal data processing projects be able to explain how they manage the risks as part of the project?