e‑Book: Pri­va­cy Impact Assess­ment Hand­book (Fraun­ho­fer)

EN 
EN  DE  FR 

from

on

Indu­stries

Aut­ho­ri­ty

Laws

Topics

Take-Aways (AI)
  • Prac­ti­cal manu­al for car­ry­ing out the data pro­tec­tion impact assess­ment (DPIA) in accordance with Art. 35 GDPR, free­ly available as a PDF from Fraun­ho­fer Verlag.
  • Struc­tu­red pro­cess in five pha­ses: Initia­ti­on, pre­pa­ra­ti­on, exe­cu­ti­on, imple­men­ta­ti­on and ongo­ing review of the DPIA.
  • Detail­ed metho­do­lo­gy inclu­ding risk ana­ly­sis, reme­di­al mea­su­res, docu­men­ta­ti­on, respon­si­bi­li­ties and war­ran­ty targets.

Nicho­las Mar­tin, Micha­el Frie­de­wald, Ina Schier­ing, Brit­ta A. Mester, Dara Hal­linan and Mei­ko Jen­sen have published a “Manu­al for prac­ti­ce” for “The data pro­tec­tion impact assess­ment accor­ding to Art. 35 DSGVO” published. It is at Fraun­ho­fer available free of char­ge in full text (PDF).

Table of con­tents:

1 Intro­duc­tion
1.1 Data protection
1.2 Data pro­tec­tion impact assessment
1.3 Respon­si­bi­li­ty for the DSFA
Responsible
Data Pro­tec­tion Officer
Pro­duct manu­fac­tu­r­ers, pro­ces­sors and jointly
Responsible

2 Neces­sa­ry preli­mi­na­ry work 
2.1 Direc­to­ry of pro­ce­s­sing acti­vi­ties accor­ding to
Art. 30 GDPR
2.2 Agen­ci­es involved
2.3 Docu­men­ta­ti­on of the legal basis of the
Processing
2.4 Assess­ment of neces­si­ty and proportionality
The processing

3 Pha­ses of a DSFA 

4 Pha­se I: Initia­ti­on of the DSFA 
4.1 Procedure
4.2 Exami­na­ti­on of the requi­re­ments from Artic­le 35 (3) DSGVO
4.3 Posi­ti­ve lists (“must lists”) of the data protection
Supervisors
4.4 Artic­le 29 Working Par­ty criteria
4.5 Inde­pen­dent testing
4.6 Docu­men­ta­ti­on of the test result

5 Pha­se II: Pre­pa­ra­ti­on of the DSFA 
5.1 Procedure
5.2 Coll­ec­tion of infor­ma­ti­on and descrip­ti­on of the
Pro­ce­s­sing ope­ra­ti­ons and the pur­po­ses of processing
5.3 Iden­ti­fi­ca­ti­on of the per­sons concerned
5.4 Iden­ti­fi­ca­ti­on of other stakeholders
5.5 DSFA team

6 Pha­se III: Imple­men­ta­ti­on of the DSFA 
6.1 Procedure
6.2 What are risks within the mea­ning of the GDPR?
Dama­ges and the impair­ment of rights and freedoms
Events
6.3 Risk iden­ti­fi­ca­ti­on and risk ana­ly­sis, crea­ti­on of dama­ge scenarios
Ana­ly­sis on the basis of the war­ran­ty targets
6.4 Risk assessment
6.5 Sel­ec­tion of reme­di­al measures
6.6 Assess­ment of the remai­ning risks and decision
about fur­ther steps
6.7 Assess­ment of neces­si­ty and pro­por­tio­na­li­ty 49
6.8 Recom­men­ded metho­do­lo­gy: participatory
Work­shop-based approach
6.9 DSFA report
6.10 Pri­or con­sul­ta­ti­on with the super­vi­so­ry authority

7 Pha­se IV: Imple­men­ta­ti­on of the DSFA 
7.1 Imple­men­ta­ti­on and test­ing of the remedies
7.2 Pro­of of com­pli­ance with the GDPR and release
The processing

8 Pha­se V: Con­ti­nuous review of the DSFA

APPENDIX 
A Descrip­ti­on of the war­ran­ty targets
A1 Data minimization
A2 Availability
A3 Integrity
A4 Confidentiality
A5 Non-chainability
A6 Transparency
A7 Intervenability
B Fur­ther reading
C Abbreviations
D Notes
E About the authors