Data protection impact assessment workshop

  • null
    Let an experienced data protection consultant go through a data protection impact assessment (DPIA) step by step with you using one of your processing operations.

  • null
    Learn how to do a GDPR-compliant DPIA yourself for all of your data processing operations.

  • null
    Three-part digital workshop (2h + 4h + 2 h)

1.999,00€ – Add to cart Excluding 19% tax

GDPR-compliant data protection impact assessment

A data protection impact assessment must be performed if a risk analysis of your processing operations determines that it is required.

Identify risks to the rights and freedoms of data subjects using the data protection impact assessment. Determine which specific corrective measures can be taken to address these risks.

DPIA workshop

Analyse the processing operation of your choice under instruction from an experienced data protection consultant in our online data protection impact assessment workshop. Learn how to evaluate the scope and type of risk to the rights and freedoms of data subjects using a reliable criteria catalogue. We’ll provide you with potential measures to address these risks.

By the end, you’ll know how to perform a DPIA for your specific processing operations. And you’ll be able to carry out other DPIAs on your own in the future.

How does the online data protection impact assessment workshop work?

01.

Find a date

After purchasing your workshop, give us three possible dates for a kick-off meeting. Please plan for around two hours and make sure that all relevant personnel can participate.
02.

Kick-off

In the first part of the online workshop, we’ll tell you what to expect with a DPIA and look at your processing operation in detail.
03.

Risk assessment

In the main part of the workshop, we’ll assess the level and and nature of risk for the rights and freedoms of data subjects. In particular, we’ll consider the nature, scope, context and purposes of the processing.
04.

Risk mitigation measures

At the end of the workshop, we’ll look at the provisions and processes we can use to reduce the risks and ensure sufficient data protection.

Our benefits package

  • Our highly experienced data protection consultants all have degrees in law.

  • We perform data protection impact assessments regularly for our clients and know the requirements for a variety of company sizes and industries.

  • You’ll get individual consultation customised to your needs. And you’ll gain from our highly optimised processes.

Workshop

Data protection impact assessment for
one of your processings
1.999,00€
Add to cart Excluding 19% tax

Frequently asked questions on data protection impact assessments

When is it necessary to carry out a data protection impact assessment?

The data protection impact assessment is defined in Art. 35 General Data Protection Regulation (GDPR). It is required in the following cases:

  • A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
  • Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences. The special categories of data referred to in Art. 9 GDPR:
    • processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
    • data concerning health or data concerning a natural person’s sex life or sexual orientation;
    • genetic data, biometric data for the purpose of uniquely identifying a natural person.
  • Systematic monitoring of a publicly accessible area on a large scale: Publicly accessible can also be the service area of a company that is open to the public, for example.

A DPIA may also be required even if the above cases are not relevant but still likely to result in a high risk to the rights and freedoms of the data subjects.

What must the data protection impact assessment contain?

The assessment must answer the following questions:

  • What are the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller?
  • What is the necessity and proportionality of the processing operations in relation to the purposes?
  • What are the risks to the rights and freedoms of data subjects, in particular the nature, scope, context and purposes of the processing?
  • What are the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned?

Who is responsible for the data protection impact assessment?

The controller is obligated to carry out the DPIA (Art. 35 Paragraph 1 GDPR). The controller must determine (as in other risk management areas) if a DPIA is necessary, and if so, ensure that it is carried out. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment (Art. 35 Paragraph 2 GDPR). The data protection officer must provide advice where requested as regards to the data protection impact assessment and monitor its performance (Art. 39 Paragraph 1c GDPR).

How are the DPIA results processed?

If the results of the DPIA show that the data processing can be supported by the giving of consent (specifically Art. 6 GDPR), it must be ensured that the implementation of corrective technical and/or organisational measures sufficiently address the risks. The law requires the mitigation of risk. The importance of mitigation rises with increasing risk to the data subject.

According to Art. 36 GDPR, the controller shall consult the supervisory authority in the absence of measures taken by the controller to mitigate the risk.

Scope description of the data protection impact assessment workshop

Please note the following guidelines regarding the scope of our data impact assessment workshop:

  1. The workshop focuses solely on introducing the data protection impact assessment, evaluating the risks to the rights and freedoms of data subjects and evaluating risk mitigation measures. We cannot guarantee that a comprehensive and fully complete draft of the data protection impact assessment can be created during the workshop time frame. We are not obligated to carry out a data protection impact assessment; rather, we will teach you what is essential and how to evaluate risks and mitigation measures so that you can produce a data protection impact assessment yourself.
  2. Within the workshop, we can only evaluate the risks to the rights and freedoms of data subjects and evaluate risk mitigation measures for a specific processing operation.
  3. The controller must provide three scheduling options for the kickoff meeting at different weekdays and times. All times must be within the office hours of 9 a.m. and 6 p.m. The individual dates must be within two weeks of each other. If more time is needed, the controller can select a longer time frame.
  4. As the workshop is conducted remotely, the controller is responsible for their technical set up (e.g. sufficient and stable internet connection, functioning hardware and software, etc.)
  5. The service is deemed as rendered if the workshop is completed with the following content: Introduction of the data protection impact assessment, the evaluation of risks to the rights and freedoms of data subjects and the evaluation of risk mitigation measures.
  6. The workshop is a maximum of 8 hours and is split up as follows: 2h kickoff, 4h risk evaluation, 2h risk mitigation measures.