Skip to main content

How to perform a Data Protection Impact Assessment


[Updated! Originally published 2017 September 9]

There is a ton of free material in the Internet describing the Data Privacy Impact Assessments (DPIA) process. Some fine examples include:

When I actually tried to perform my first DPIA (also called "Data Protection Impact Assessments"), I struggled because the templates were not particularly intuitive. I searched for real-world examples of DPIAs...and found nothing. I looked for templates that were comprehensive and straightforward...and found none.

Even the three different versions of a DPIA template I received from IT Governance as part of a GDPR class and a document template kit left me wanting.

There was a total lack of practical examples.

The fix? I decided to roll my own:
  • Begged, borrowed and stole ideas from various DPIA forms and spreadsheets.
  • I built a more detailed revised template that forces to privacy practitioner to not forget anything
  • I tested the template as both a data controller and as a data processor, making many revisions
  • I consulted with colleagues and GDPR experts to resolve issues.
  • Pretty colors were added.
  • I was formatted to print.
  • And I learned more about the GDPR than I ever expected.
You get to take advantage of my work so you don't have to suffer like I did...

DPIA Template

I'll continue revising this template. Feel free to comment on where it needs to be improved! When I release a new version, I'll update the article date and link:

Examples of Completed DPIAs

I've created a couple examples of completed DPIAs. They are both based on several real DPIAs that I've combined and edited to ensure there were examples of risks to be mitigated.

Example of a DPIA by a Data Controller

I choose a very common scope that's familiar to every organization: Maintaining Human Resources employee data.

Example of a DPIA by a Data Processor

Interestingly, many of the questions that need to be answered in a DPIA are Data Controller-specific and don't apply to a Data Processor. But the Data Processor is still responsible for helping the Data Controller comply with the GDPR. For Controller-only questions, I suggest you comment on how you, as Data Processor, are going to help the Data Controller.

Have at it!

If you have recommended modifications or translate into another language, let me know - I'm happy to post variations or update my version with your suggestions.

Comments

  1. Thanks for making this available. I was on the same quest.

    ReplyDelete
  2. Hi Mike, Can you please explain how you developed your Risk to rights and freedoms of data subjects calculation on the Risks tab? Did you develop the 1-3 score, or is that an industry standard. Thanks!

    ReplyDelete
    Replies
    1. Hi John - my apologies: I somehow missed (for months!) your question. Answer: The 0-3 score is simply what I choose rather than 1-3 or 1-5 or any other scoring. There is no industry standard: I just choose what felt easiest for me. You can change the formulas to anything you want - feel free!

      Delete
  3. Congrats, Mike, and thank you for sharing.

    ReplyDelete
  4. Thank you - very helpful and well constructed

    ReplyDelete
  5. You have a good point here! I totally agree with what you have said!! Thanks for sharing your views on Sales and Distribution Management Solution in UK hope more people will read this post.

    ReplyDelete

Post a Comment

Popular posts from this blog

GDPR Gap Assessment template

It's hard to believe I'm still talking to companies who are only now getting started on GDPR compliance. In fact, Cisco's 2019 Data Privacy Benchmark Study found that only 59% of the 3,206 organizations they surveyed felt they were largely compliant. Nine percent had not even started their compliance work: There are other companies who are thinking to entering the EU market and they are starting down the path of understanding what is required from a GDPR perspective. If I were starting my GDPR compliance journey, the first thing I would do is a gap assessment. There are many outstanding gap assessment tools available, including: Data Protection Self Assessment https://ico.org.uk/for-organisations/data-protection-self-assessment/ ISACA-CMMI GDPR Assessment (requires ISACA membership) http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/isaca-cmmi-gdpr-assessment.aspx Nymity GDPR Readiness Assessment Questions https://info.nymity.com/gdpr-c

Calculating the severity of a data breach

While at the 2019 IAPP Privacy. Security. Risk. conference, I was introduced to the European Union Agency for Network and Information Security (ENISA)'s " Recommendations for a methodology of the assessment of severity of personal data breaches " in Liisa M. Thomas's Data Breach Bootcamp. The methodology allows you to calculate the severity of a data breach from the perspective of a data subject: what's the personal harm? The methodology systematizes and standardizes the calculation “estimation of the magnitude of potential impact on the individuals derived from the data breach”. By answering a few questions about the breach, the methodology produces a severity score: Low : Individuals either will not be affected or may encounter a few inconveniences, which they will overcome without any problem (time spent re-entering information, annoyances, irritations, etc.). Medium : Individuals may encounter significant inconveniences, which they will be able to ove