You take appropriate and effective action to mitigate or manage any risks a DPIA identifies, and you have a DPIA review process.
Ways to meet our expectations:
- You have a procedure to consult the ICO if you cannot mitigate residual high risks.
- You integrate outcomes from DPIAs into relevant work plans, project action plans and risk registers.
- You do not start high risk processing until mitigating measures are in place following the DPIA.
- You have a procedure to communicate the outcomes of DPIAs to appropriate stakeholders, eg through a formal summarised report.
- You consider actively publishing DPIAs where possible, removing sensitive details if necessary.
- You agree and document a schedule for reviewing the DPIA regularly or when the nature, scope, context or purposes of the processing changes.
Can you answer yes to the following questions?
- Do staff understand when to consult the ICO?
- Do you effectively integrate outcomes from DPIAs into projects?
- Are appropriate stakeholders aware of the outcomes of DPIAs?