Date Protection Impact Assessment Process
Contents 1
Introduction ............................................................................................................... 8 1.1
2
Definitions ................................................................................................................... 8
Data protection impact assessment process ............................................................... 9 2.1
Process diagram........................................................................................................... 9
2.2
Establish the need and context ..................................................................................... 9
2.3
Document the use of personal data ............................................................................ 10
2.4
Identify the risks ........................................................................................................ 11
2.4.1
2.5
Identify risk scenarios ................................................................................................................ 12
Analyse the risks ........................................................................................................ 12
2.5.1 2.5.2 2.5.3
Assess the likelihood ................................................................................................................. 12 Assess the Impact ...................................................................................................................... 13 Risk classification ....................................................................................................................... 14
2.6
Evaluate the risks ....................................................................................................... 15
2.7
Define risk treatment plan ......................................................................................... 16
2.7.1 2.7.2 2.7.3
Risk treatment options .............................................................................................................. 16 Selection of controls .................................................................................................................. 16 Data protection impact assessment report ................................................................................ 17
2.8
Obtain management approval for residual risks .......................................................... 17
2.9
Prior consultation with the ICO .................................................................................. 18
2.10
Implement risk treatment actions .............................................................................. 18
2.11
Risk monitoring and reporting .................................................................................... 18
2.12
Regular review ........................................................................................................... 19
2.13
Roles and responsibilities ........................................................................................... 19
2.13.1
3
RACI chart ............................................................................................................................. 19
Conclusion................................................................................................................ 20
Figures Figure 1: Data protection impact assessment process diagram ...................................................... 9 Figure 2: Risk matrix chart .......................................................................................................... 15
Tables Table 1: Risk likelihood guidance ................................................................................................ 13 Table 2: Risk impact guidance..................................................................................................... 14 Table 3: RACI chart ..................................................................................................................... 19
Version 1
Page 7 of 20
[Insert date]
