You understand whether a DPIA is required, or where it would be good practice to complete one. There is a clear DPIA policy and procedure.
Ways to meet our expectations:
- You have a DPIA policy which includes:
- clear procedures to decide whether you conduct a DPIA;
- what the DPIA should cover;
- who will authorise it; and
- how you will incorporate it into the overall planning.
- You have a screening checklist to consider if you need a DPIA, including all the relevant considerations on the scope, type and manner of the proposed processing.
- If the screening checklist indicates that you do not need a DPIA, you document this.
- Your procedure includes the requirement to seek advice from the DPO and other internal staff as appropriate.
- Your procedure includes consultation with controllers, data processors, individuals, their representatives and any other relevant stakeholders as appropriate.
- Staff training includes the need to consider a DPIA at the early stages of any plan involving personal data and, where relevant, you train staff in how to carry out a DPIA.
- You assign responsibility for completing DPIAs to a member of staff, who has enough authority over a project to effect change, eg a project lead or manager.
Can you answer yes to the following questions?
- Are your policies and procedures easy to locate?
- Are staff aware of the process?
- Do they consider it effective?
- Have they had adequate training?
- Are DPIAs conducted by those with appropriate authority to effect change?