Hello and welcome back to this introduction to Judy PR
in this video will be looking at the data protection impact. Assessments on the role of the data protection officer, as defined in the GDP are.
So what is a data protection impact assessment? Well, data protection impact assessments, also known as privacy impact assessments, are a tool which can help organizations identify the most effective way to comply with their data protection obligations on minimis non compliance risks
on effective data protection. Impact assessment will allow organizations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur
when they wanted to conduct a data protection impact assessment.
Previously, privacy impact assessments were recommended, but now they use has been formalized.
You must carry out a data protection impact assessment on any high risk grossing before it is commenced.
This is the risk to an individual's rights and freedoms rather than the risks face by the organization.
For example, when using new technologies
performing systematic and extensive processing activities, including profiling where decisions have legal effects or similarly significant effects on individuals.
Lasko processing of special categories of data or personal data in relation to criminal convictions or offenses.
This includes processing a considerable amount of personal data regional, national or supper national level that affects the large number of individuals and involves a high risk to rights and freedoms.
E. G. Based on the sensitivity of the processing activity.
Other factors that may increase risk include the presence of Children or employees amongst those being processed.
Also, the matching or combining of data sets in unexpected ways from the data subjects. Perspective amputated transfers outside the U
large scale Systematic monitoring of public areas by CCTV
if the data protection officer has been appointed is a. Her advice on the carrying out of the assessment must be solved.
What information should that data protection impact assessment contain?
There is no mandated form for it on various templates exist. However, it must include
a description of the processing operations,
the purposes including where applicable, the legitimate interests pursued by the controller
on assessment of the necessity and proportionality of the processing in relation to the purpose,
an assessment of the risks to the individuals,
the measures in place to address risk, including security and to demonstrate compliance
and a data protection impact assessment can address more than one project
when conducting a data protection impact assessment. It may be necessary for the controller to seek out the view of data subjects or their representatives,
for example, contacting employee representatives or trade unions when planning new ways to process employee data
or contacting patient groups When working with health data,
whatever risks cannot be mitigated and remain high, it is required that the controller contact their supervisory authority. Before the start of processing,
the controller shall carry out reviews to insure processing is carried out in accordance with the data protection impact assessment.
The appointment of a data protection officer is voluntary
except with the organization. Processing data is
a public authority or body,
a controller or process sir, whose core activities require regular and systematic monitoring of data subjects on a large scale
or processing on a large scale data of the special categories we discussed earlier.
If the organization decides not to appoint a data protection officer, the decision should be documented on updated when new activities or service is air introduced.
The person filling the role should be selected on the basis of their expert knowledge and understanding of the organization's operations. Though the GDP art does not specify any particular qualification on the more sensitive or complex the processing, the more expert the person should be
once appointed, whether voluntarily or mandatorily, the data protection officer must have the authority to review all data processing.
The minimum tasks that should be performed are
informal advice. The organization and its employees about their obligations to comply with the GDP are another Data protection laws
to monitor compliance with the GDP are another data protection laws, including managing internal data protection activities
that fire Sunday to protection impact assessments
to train staff and conduct into our Lord. It's
to be the first point of contact for supervisory authorities and for individuals whose data is processed.
employees, customers, et cetera.
They're also duties assigned to the employer to ensure that the role reports of the highest management level of the organization
to believe board level
that the role operates independently and is not dismissed or penalized for performing their task
on the adequate resources are provided to enable the data protection officer to meet their GDP. Our obligations.
Fundamentally, what this is getting out is that the data protection officer should have the full backing of the and authority of the board
in ensuring that the organization meets its security requirements. Under the GDP are
if the organization decides not to appoint a data protection officer,
it should designate someone to take responsibility for data protection compliance
and assess where this road will sit within the organization structure and governance arrangements.
The position should not be called a data protection officer to avoid confusion.
It is most important that someone in the organization or an external consultant is responsible for compliance and has the knowledge, support and authority to carry out the role effectively.
The last area that all look at in this video is the records of processing activities
as well. It's the obligation to provide comprehensive, clear and transparent privacy policies which are discussed in the video of lawfulness of processing
organizations, or 250 or more employees must maintain additional records of their processing activities.
If the organization has less than 250 employees,
it is required to maintain records of activities related to the high risk processing, such as processing personal data that could result in a risk to the rights of freedoms of the individual
processing a special categories of data or criminal convictions of offenses.
So what needs to be recorded
the name and contacting us off the organization and where applicable of joint Controllers. The organization's representative on the data protection officer.
The purposes of processing
the description of the categories of individuals in categories of personal data that will be processed
the categories of recipients of personal data.
Details of transfers to third countries, including documentation of the transfer mechanism, safeguards in place
retention schedules for each category of data,
a general description of technical and organizational security measures.
Finally, these records may be required to be made available to the relevant supervisory authority
for purposes of an investigation. For example, after a breach
in the next video, we'll be looking at data protection breaches.
In the meantime, thank you for watching