Data Protection Impact Assessments
A Data Protection Impact Assessment (DPIA) is an instrument designed to help organizations systematically analyze, identify, and minimize the data protection risks of a project or system.
This feature includes templates, checklists, and workflows to help you evaluate the necessity and proportionality of your data processing activities, assess potential risks to individuals' privacy rights, and determine measures to address those risks. It's designed to ensure compliance with the GDPR's requirements for conducting DPIAs where data processing is likely to result in a high risk to individuals' rights and freedoms.
Common Triggers for DPIAs:
- New Vendors: When a company is obtaining a new piece of technology that may encompass “high risk” processing scenarios and/or especially sensitive data and a DPIA is indicated as determined by an earlier risk assessment, such as a PIA.
- Changing Business Use: When a vendor has changed something significant about the way they process “high risk” data, or when a customer is changing something about the way they intend to use an existing system.
- e.g. We are going to be using high-risk new features or pursuing a novel use of a technology such that would warrant a new DPIA.
- High-Risk Projects: When a company is embarking on a project (e.g. a targeted marketing campaign) that will likely contain high risk processing activities and/or especially sensitive data and a DPIA is indicated as determined by an earlier risk assessment, such as a PIA.
- Audit: In response to an audit by an external regulatory body or in due course of litigation.
- Internal Due Diligence: When a DPIA has “expired” based on a company privacy program’s internal retention schedule.
DataGrail User Roles
Only the following will have access to the Risk Monitor tab without being assigned as a contributor to an assessment:
- Super Admin
- Risk Monitor Admin
Combining any user roles that do not have access to this UI with any of the above user roles that do have access to this functionality will grant a user access to these updates. I.e. If a user had a Connections Manager Role, adding a Super Admin role to their user record in DGAdmin would then allow them access to the new Risk Monitor.
Workflow
In the Risk Monitor tab of DataGrail, you will find:
- All previously created assessments and their associated: name, state and contributor assignee, personal data likelihood, percentage of completion, due date, renewal date, and the Approving user
- The ability to create a new assessment
- The total count of all created assessments
All previously created assessments will be sorted in ascending order based on creation date, with the earliest assessment created displaying last on the list.
Creating a New Standard Assessment
Clicking on the ‘Create New Assessment' button will direct the user to a creation page where they need to specify:
- Assessment Name
- System(s)
- Business Process(es) (optional)
- Due Date (optional)
- Renewal Cycle
Adding a Contributor
When a contributor email is added to an assessment, an invite email is sent to the email address with:
- Subject: “Inviter (first name and last name) from
Customer’s\_Datagrail\_Account\_Name
has shared an assessment with you” - Body: First name, last name and email address of the DataGrail Customer user that created the assessment, the name of the customer’s DataGrail account and the system this assessment is for
- Clickable link to view and edit the assessment
- Message for Contributor (optional)
A contributor can also be added after an assessment has been created if the assessment is in either a ‘Not Started’ or ‘In Progress’ state.
Clicking on the ‘...’ button to the right of an assessment, a user can add a contributor to an already created assessment, utilizing the Invite Contributor option and filling in the email address and an (optional) message to send them an invite.
If a contributor has already been added to an assessment, clicking on the ‘...’ button to the right of an assessment will display the options to ‘Resend Invite’ or ‘Remove Contributor’. Clicking to Remove Contributor will load a confirmation with context on how the removal of a contributor is also the submission of an assessment. Confirming this action will result in a green notification, will move this assessment into an ‘In Progress’ status (if it was not already), and remove the contributor.
Contributors can be internal to your business, like a system owner, or external to your business, such as a contact for the Vendor.
Filling out an Assessment
All created assessments have a total of 10 sections where the user is able to add information related to the system on the assessment.
- General Information
- Need for DPIA
- Consultation Process
- Data Processing Content
- Benefits of Processing
- Lawfulness & Fairness
- Privacy Rights & Expectations
- Protective Measures
- Special Topics
- Risks & Mitigations
All questions within these sections are optional to complete and will be available
A user can move back and forth between sections by (1) utilizing the Back and Next buttons respectively or (2) by clicking on the section they want to jump to via the list of sections available on the left hand side of the assessment. When a user is on a certain section, that section will be highlighted in blue.
Creating a Custom Template Assessment
Clicking on the ‘Create Template' button will direct the user to a template creation page where they need to specify:
- Assessment Name
- Section Title
After creating a section, click on + Add Question to begin building out the information applicable for the section.
Next, select the type of answer that will be provided for the question out of the following options;
- Single Selection
- Multiple Selection
- Date Picker
- Text Answer
After creating your Question, you can make that question conditional and chose if, and when, to show the next question, by Adding a Rule.
To Add a Rule to a question, you must first add a second question. Once the second question is added, you will see the "Add Rule" button appear.
To Add a Rule, follow the below steps;
- On the newly created question, click "Add Rule" button at the bottom
- Select the answer to the question and the action to take place for that answer
- When the rule is complete, select "Apply Rule" (note : if you'd like to start over or cancel the rule, select "Cancel")
When a rule has been added, the selected question with the rule assigned will show the label "1 Rule Added". The following question will show the label "Conditional", as it will only be visible to the User if they select the answer targeted by the created rule.
After you've created your Section, Question, and Answer, repeat for as many Sections are applicable for your Assessment then click "Save Assessment".
After saving, the assessment will be viewable to edit and approve on the main Risk Monitor Assessment page.
Submitting vs. Approving an Assessment
Submitting an Assessment
When an invited contributor has completed filling in the assessment, they are able to Submit this assessment. Clicking this button prompts a confirmation pop up to the user with:
- Context around what this action means
- The ability to add an (Optional) message to the Assessment Owner
- Buttons to both Cancel and Submit Assessment
Approving an Assessment
A Super Admin or Risk Monitor Admin are the only user types that can approve an assessment.
When an assessment has been submitted by the editing user, it is in an In Progress state. Clicking on the ‘...’ button on the right of this assessment will only display the option to View the assessment.
Clicking "View" will load the submitted assessment with the option to Approve Assessment. Clicking on this button will load a confirmation modal that will need to be confirmed for the assessment to be submitted.
When an assessment is successfully submitted, all approval and change saving ability is replaced at the bottom of the assessment with the option to Download as PDF.
Assessment Statuses
There are four statuses an assessment can be in:
- Not Started
- In Progress
- Pending Approval
- Approved
Each status will provide a percentage of completion. If the Assessment is "Not Started", the percentage will show as 0%.
Not Started
No edits have been saved on this assessment yet by the editing user. This state is still editable by the editing user.
In Progress
This state can occur if:
- Edits have been saved on this assessment by the editing user. This state is still editable by the editing user.
- The invited contributor on the assessment was removed from the assessment by an Admin. This state is still editable by a Super Admin user.
- The invited contributor on the assessment completed the assessment and submitted it. This state is still editable by a Super Admin user.
Pending Approval
This state occurs when the invited collaborator(s) completes the assessment and submits for approval.
Approved
This state can only occur if an Admin approves an assessment. This state is not editable, only viewable, regardless of user permissions.
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.