Time
1 hour 7 minutes
Difficulty
Beginner
CEU/CPE
3

Video Description

Data Protection Impact Assessments and Data Protection Officers - Data Protection (or Privacy) Impact Assessments - The Data Protection Officer role (as defined in the GDPR) - Records of processing activities

Video Transcription

00:04
Hello and welcome back to this introduction to Judy PR
00:09
in this video will be looking at the data protection impact. Assessments on the role of the data protection officer, as defined in the GDP are.
00:18
So what is a data protection impact assessment? Well, data protection impact assessments, also known as privacy impact assessments, are a tool which can help organizations identify the most effective way to comply with their data protection obligations on minimis non compliance risks
00:35
on effective data protection. Impact assessment will allow organizations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur
00:48
when they wanted to conduct a data protection impact assessment.
00:52
Previously, privacy impact assessments were recommended, but now they use has been formalized.
00:57
You must carry out a data protection impact assessment on any high risk grossing before it is commenced.
01:03
This is the risk to an individual's rights and freedoms rather than the risks face by the organization.
01:11
For example, when using new technologies
01:15
performing systematic and extensive processing activities, including profiling where decisions have legal effects or similarly significant effects on individuals.
01:27
Lasko processing of special categories of data or personal data in relation to criminal convictions or offenses.
01:36
This includes processing a considerable amount of personal data regional, national or supper national level that affects the large number of individuals and involves a high risk to rights and freedoms.
01:47
E. G. Based on the sensitivity of the processing activity.
01:51
Other factors that may increase risk include the presence of Children or employees amongst those being processed.
01:59
Also, the matching or combining of data sets in unexpected ways from the data subjects. Perspective amputated transfers outside the U
02:07
large scale Systematic monitoring of public areas by CCTV
02:14
if the data protection officer has been appointed is a. Her advice on the carrying out of the assessment must be solved.
02:23
What information should that data protection impact assessment contain?
02:28
There is no mandated form for it on various templates exist. However, it must include
02:34
a description of the processing operations,
02:37
the purposes including where applicable, the legitimate interests pursued by the controller
02:44
on assessment of the necessity and proportionality of the processing in relation to the purpose,
02:50
an assessment of the risks to the individuals,
02:53
the measures in place to address risk, including security and to demonstrate compliance
03:00
and a data protection impact assessment can address more than one project
03:07
when conducting a data protection impact assessment. It may be necessary for the controller to seek out the view of data subjects or their representatives,
03:15
for example, contacting employee representatives or trade unions when planning new ways to process employee data
03:23
or contacting patient groups When working with health data,
03:28
whatever risks cannot be mitigated and remain high, it is required that the controller contact their supervisory authority. Before the start of processing,
03:38
the controller shall carry out reviews to insure processing is carried out in accordance with the data protection impact assessment.
03:51
The appointment of a data protection officer is voluntary
03:54
except with the organization. Processing data is
03:58
a public authority or body,
04:00
a controller or process sir, whose core activities require regular and systematic monitoring of data subjects on a large scale
04:08
or processing on a large scale data of the special categories we discussed earlier.
04:15
If the organization decides not to appoint a data protection officer, the decision should be documented on updated when new activities or service is air introduced.
04:25
The person filling the role should be selected on the basis of their expert knowledge and understanding of the organization's operations. Though the GDP art does not specify any particular qualification on the more sensitive or complex the processing, the more expert the person should be
04:43
once appointed, whether voluntarily or mandatorily, the data protection officer must have the authority to review all data processing.
04:51
The minimum tasks that should be performed are
04:55
informal advice. The organization and its employees about their obligations to comply with the GDP are another Data protection laws
05:04
to monitor compliance with the GDP are another data protection laws, including managing internal data protection activities
05:12
that fire Sunday to protection impact assessments
05:15
to train staff and conduct into our Lord. It's
05:19
to be the first point of contact for supervisory authorities and for individuals whose data is processed.
05:25
Itchy
05:27
employees, customers, et cetera.
05:30
They're also duties assigned to the employer to ensure that the role reports of the highest management level of the organization
05:36
to believe board level
05:40
that the role operates independently and is not dismissed or penalized for performing their task
05:45
on the adequate resources are provided to enable the data protection officer to meet their GDP. Our obligations.
05:51
Fundamentally, what this is getting out is that the data protection officer should have the full backing of the and authority of the board
05:59
in ensuring that the organization meets its security requirements. Under the GDP are
06:05
if the organization decides not to appoint a data protection officer,
06:10
it should designate someone to take responsibility for data protection compliance
06:14
and assess where this road will sit within the organization structure and governance arrangements.
06:19
The position should not be called a data protection officer to avoid confusion.
06:25
It is most important that someone in the organization or an external consultant is responsible for compliance and has the knowledge, support and authority to carry out the role effectively.
06:40
The last area that all look at in this video is the records of processing activities
06:45
as well. It's the obligation to provide comprehensive, clear and transparent privacy policies which are discussed in the video of lawfulness of processing
06:54
organizations, or 250 or more employees must maintain additional records of their processing activities.
07:01
If the organization has less than 250 employees,
07:04
it is required to maintain records of activities related to the high risk processing, such as processing personal data that could result in a risk to the rights of freedoms of the individual
07:15
oh,
07:16
processing a special categories of data or criminal convictions of offenses.
07:23
So what needs to be recorded
07:26
the name and contacting us off the organization and where applicable of joint Controllers. The organization's representative on the data protection officer.
07:36
The purposes of processing
07:41
the description of the categories of individuals in categories of personal data that will be processed
07:47
the categories of recipients of personal data.
07:50
Details of transfers to third countries, including documentation of the transfer mechanism, safeguards in place
08:00
retention schedules for each category of data,
08:03
a general description of technical and organizational security measures.
08:09
Finally, these records may be required to be made available to the relevant supervisory authority
08:15
for purposes of an investigation. For example, after a breach
08:20
in the next video, we'll be looking at data protection breaches.
08:24
In the meantime, thank you for watching

Up Next

Introduction to General Data Protections

The General Data Protection Regulations (GDPR) are the new regulations governing the processing of personal data for citizens and residents in the European Union (EU). This course will provide an overview of those regulations

Instructed By

Instructor Profile Image
Angus Alderman
Information Security Officer at Boden
Instructor