Data Privacy Buy-In: The Usual Suspects and What to Say to Them
Getting the business to say “yes” to data privacy isn’t easy. Yet it...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Published: April 5, 2024
The GDPR contains plenty of requirements, penalties, obligations, rights, and definitions—but it doesn’t contain a specific template for DPIAs, or data protection impact assessments.
If you’re struggling to identify exactly what your DPIA is supposed to contain, you can review this blog to find out how to start. We’ll walk through what a DPIA is, the actual template itself, and then guidance on how you can make the DPIA process and workflow faster and easier.
DPIAs are covered in Article 35 of the GDPR. Here’s what Article 35 has to say about DPIAs:
Where a type of processing [...] is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
It goes on to list three specific circumstances where a DPIA is required, though this list is not exhaustive:
Generally speaking, any major project that involves personal data should have a DPIA associated with it.
For more details, take a look at What Is a DPIA (Data Protection Impact Assessment)?
Provide a summary of why you believe the project needs a DPIA. What does it aim to achieve, and what type of processing does it involve? Refer to supporting documents, such as project proposals, as needed.
You’ll want to detail the nature, scope, context, and purpose of the processing. That includes answering questions like:
What other experts and stakeholders will you include in your DPIA, and what was their feedback? Did you speak with the individuals likely to be impacted by the processing, information security and privacy experts, or downstream processors?
This step in your DPIA is all about determining whether the processing really needs to or should occur in the first place. Do you have a solid lawful basis for the processing? Does the processing actually achieve your goal, and are you only collecting the data that you absolutely need to do so? Are there alternative approaches that don’t require data collection? Ask yourselves questions along these lines and record the relevant information here.
Make sure to identify and list the sources and nature of various risks that could be associated with the processing. For each of these risks, score their:
Based on the risks you previously identified, list out the measures you could take to reduce or eliminate them, focusing especially on the high and medium risks.
Then, describe the impact you’ve had on the identified risk, including:
Create a record of approvals and outcomes. This should include:
Filling out a form according to these instructions is straightforward enough—but the reality of implementing them on a per-project basis is complex.
DPIAs need to be conducted before work can begin, and they must be maintained as work goes on. That means multiple stakeholders need to be aligned in terms of what their contributions must be and when they must be made. Consider the different parties involved:
Some of these stakeholders can’t be rush (like your local data protection authority), which means receiving timely information from the parties you have a working relationship with (such as your colleagues, DPO, and vendors) is essential.
Moreover, assessments like these need to be conducted on a regular basis and maintained on a regular basis. As they build up, it can be easy for a DPO or other privacy professional to lose track of which DPIAs are out of date, which are awaiting input from DPIA stakeholders, and so on.
That’s why DPOs and privacy professionals should look for a data privacy management platform with a built-in assessments module. In the Osano platform, you can:
That’s not to mention the library of other assessment types and custom assessment functionality in Osano—or its suite of additional privacy solutions.
Schedule a demo of the Osano Platform today! Or, if you’d like to walk through the DPIA process on your own to understand requirements, download a DPIA template here.
Want quick access to an editable version of this template? Download our DPIA template here.
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.