Security & Compliance
< Back to Article ListDP-04 Template Data Protection Impact Assessment
Last updated: 21 November 2023 at 11:05:39 UTC by Russell Briggs
DATA PROTECTION IMPACT ASSESSMENT (DPIA-01)
1. Data Controller |
2. Reference Number |
|
|
DPIA-01 |
|
3. Description of Project |
||
|
||
4. Purpose of Project |
||
Explain broadly what the project aims to achieve including what the intended effect on individuals is and the benefits of the processing for the individuals and the organisations involved |
||
5. Types of Data Subjects |
||
|
||
6. Types of Personal Data |
||
☐Name
|
☐ID Number |
|
7. Special Category Data |
||
☐Racial Origin |
☐Criminal Prosecutions or Allegations |
|
8. Who will be able to see and/or have access to the data? |
||
|
||
9. How will you collect, use, store and delete data? |
||
|
||
10. What is the source of the data? |
||
|
||
11. Will the data be shared with anyone? If so how will this be protected? |
||
|
||
12. How much data will you be collecting and using? |
||
If unknown, please provide a realistic estimate |
||
13. How many individuals are affected? |
||
If unknown, please provide a realistic estimate |
||
14. How long will the information be kept for? |
||
|
||
15. What Geographical area does it cover? |
||
|
||
16. What is the nature of your relationship with the individuals? |
||
|
||
17. How much control will they have over their data? |
||
|
||
18. Would they expect you to use their data in this way? |
||
|
||
19. Do they include children or other vulnerable groups? |
||
|
||
20. Are there prior concerns over this type of processing? Or any security flaws? |
||
|
||
21. Are there any current issues of public concern that may need to be factored in? |
||
|
||
22. What is the lawful basis for processing the personal data? |
||
|
||
23. Does the processing achieve the intended purpose? |
||
|
||
24. Is there a less privacy intrusive way to achieve the same outcome? |
||
|
||
25. How will you prevent the data from being used in an unexpected way? |
||
|
||
26. How will you ensure data minimisation? |
||
|
||
27. How will you ensure individuals right to be informed is complied with? |
||
This could be by way of a privacy notice at the point of collection |
||
28. What measures are in place to ensure any data processors comply with legislation? |
||
|
||
29. Consider how to consult with relevant stakeholders: describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts? |
||
|
||
30. Identify and Assess Risks |
|||||
Risk Ref |
Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary |
Likelihood of harm |
Severity of harm |
Overall risk |
|
|
|
Remote, possible or probable |
Minimal, significant or severe |
Low, medium or high |
|
31. Identify Measures to Reduce Risk |
|||||
Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5 |
|||||
Risk Ref |
Options to reduce or eliminate risk |
Effect on risk |
Residual risk |
Measure approved |
|
|
|
Eliminated, reduced or accepted |
Low, medium or high |
Yes or no |
|
|
Name/date |
Notes |
Measures approved by: |
|
Integrate actions back into project plan, with date and responsibility for completion |
Residual risks approved by: |
|
If accepting any residual high risk, consult the relevant supervisory authority before going ahead |
Comments: |
||
Consultation responses reviewed by: |
|
If your decision departs from individuals’ views, you must explain your reasons |
Comments: |
||
This DPIA will kept under review by: |
|
|