Data Protection Impact Assessment
Assess and manage the risks to the rights and freedoms of individuals affected by your personal data processing activities.
What is a DPIA?
A Data Protection Impact Assessment (DPIA) is an iterative process for verifying the ongoing management of impacts on the rights and freedoms of data subjects when processing personal data.
GDPR Articles 35 and 36 require a DPIA for any processing likely to result in a high risk: systematic profiling, large-scale processing of sensitive data, systematic monitoring of a publicly accessible area, or use of new technologies.
Beyond the legal obligation, a DPIA is a valuable governance tool. It builds on the records of processing and enables data protection to be integrated from the design stage of a project (privacy by design). A consistent management framework must be established to account for periodic DPIA updates.
Our DPIA method is based on the MONARC risk analysis methodology and its associated tool, covering three risk typologies: information risks, operational risks and GDPR non-compliance risks.
GDPR obligation high-risk processing
risk typologies assessed
analysis methodology
How do we proceed?
Each impact assessment is broken down into four phases, from scope definition to ongoing monitoring.
DPIA scoping
Definition of the processing activities to be analysed: purposes, legal bases, data categories, retention periods. Identification of data subjects and stakeholders. Customisation of impact criteria and definition of risk assessment and acceptance criteria.
Information risk analysis
Structured approach via MONARC. Identification, assessment and treatment of risks across confidentiality, integrity and availability criteria for each asset, based on threat scenarios provided by MONARC knowledge bases.
Impact analyses and summary
Three distinct impact analyses: information risks (impacts on individuals via loss of CIA), operational risks (reputation, operations, legal, financial, personal), GDPR non-compliance risks. Risk treatment plan and formal DPIA summary.
Monitoring
Management framework to verify that the risk situation has not deteriorated. Periodic review of internal and external changes. Updating the records of processing and DPIAs to reflect developments.
Prerequisites
Up-to-date records of processing. Functional description of the relevant processing (purposes, legal bases, data categories). Data flow mapping: sources, recipients, processors, transfers. Access to the data controller and business teams. Involvement of the DPO (internal or outsourced) where applicable.
Public entity
Ongoing DPIA support as part of a DPO assistance engagement
As part of a DPO assistance engagement with a public entity, Tomeris is regularly consulted to initiate or update DPIAs as the organisation's projects and initiatives evolve.
Whether deploying a new application, redesigning a business process or introducing a new service provider, every change that could impact data processing is subject to a structured impact assessment covering all three risk typologies.
Thanks to the MONARC platform, all DPIAs are centralised and maintained continuously, giving the organisation a consolidated and always up-to-date view of its data protection risks.
Integrating DPIAs into the project lifecycle ensures systematic consideration of privacy by design.
Results
Need a Data Protection Impact Assessment?
Carry out a GDPR-compliant DPIA with a proven methodology and long-term follow-up.