What assessments do we need to perform for privacy compliance?
GDPR Article 35 mentions that data controllers need to implement a DPIA (Data Protection Impact Assessment) and seek advice from a DPO if a certain processing is likely to pose a high risk to the rights and freedoms of natural persons.
The following are typical scenarios:
(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
(c) a systematic monitoring of a publicly accessible area on a large scale.
But are these enough? Obviously not.
Generally, where DPIA is not applicable, we need to perform PIA to assess the impact on natural persons.
When using legitimate interests as the lawful basis for processing personal data, we need to perform a LIA in order to test the balance between the legitimate interests of the controller and the rights and freedoms of natural persons.
When personal data is transferred across borders, a TIA needs to be implemented to assess the legal environment of the destination country and the control measures adopted to ensure that the personal data can receive the same level of protection after transfer.
When entrusting processing to another entity, due diligence needs to be performed on the processor to ensure that the technical and organizational measures taken by the processor provide the same level of protection.
In addition, in order to ensure the security of personal data, it is necessary to perform a security assessment to assess whether the security technology and security organizational measures adopted can ensure the security of personal data.
In order to complete these assessments, we need to prepare various assessment templates. We also need to maintain a history of various assessments and present them when facing regulatory scrutiny.
JANUSEC Privacy provides various evaluation tools mentioned above, which can directly complete the evaluation online, and can greatly improve the evaluation efficiency.