TrustArc Blog

EU GDPR Article 35 – Data Protection Impact Assessment (DPIA), Part II

October 17, 2017

EU General Data Protection Regulation (GDPR)

In Part I of this two-part blog series we provided an introduction and background to EU GDPR Article 35 – Data protection impact assessment (DPIA).

Now, in Part II we will share some best practices and helpful tips on implementing a DPIA program. These tips were shared by Beth Sipula, Senior Privacy Consultant at TrustArc and Alexia Maas, SVP & General Counsel at Volvo Financial Services in our Privacy Insight Series webinar, “Building Your DPIA/PIA Program: Tips & Case Studies.”

Part II: DPIA Program Essential Elements

The six essential elements that make up a sustainable DPIA program are: integrated governance, risk assessment, resource allocation, policies & standards, processes, and awareness & training.

  1. Integrated Governance. The first step in building a sustainable program is establishing program leadership. Depending upon your organization’s goals, the structure may vary. For example, a global corporation may have one global stakeholder along with several regional stakeholders.
  2. Risk Assessment. Classifying data-related risks will require taking a collaborative approach because stakeholders view risk differently. Do not forget to consider unstructured data when assessing risk.
  3. Resource Allocation. Assign knowledgeable and trained personnel to defined roles and responsibilities. Outlining the resources needed will help establish a budget.  
  4. Policies and Standards. Set procedures and guidelines to define and deploy effective and sustainable governance and controls for managing data-related risks. The assessment process will help determine whether there are any gaps between the standards and the implemented practices.
  5. Processes. Develop a process that fits the organization’s size and privacy maturity level. Following a documented process, especially for PIAs/DPIAs will ensure consistency.
  6. Awareness & Training. This step is crucial to ensure that the program continually evolves and improves. Communicate expectations to the stakeholders and organization, provide contextual training, and establish training cycles.

For additional guidance on conducting DPIAs, and more information on TrustArc DPIA solutions, contact us today.