Data Protection Impact Assessment
Data Protection Impact Assessment
Under the General Data Protection Regulation (AVG), the Judicial and Criminal Justice Data Act (Wjsg) and the Police Data Act (Wpg), organisations may be required to carry out a so-called Data Protection Impact Assessment (DPIA). This is the case when a data processing operation is likely to pose a high privacy risk to the people whose data the organisation is processing or when an organisation falls into one of the following categories:
- Systematically and comprehensively assesses personal aspects based on automated processing, including profiling, and bases decisions that have an impact on natural persons on that basis.
- Large-scale processing of special personal data or criminal data.
- Large-scale and systematic tracking of natural persons in a publicly accessible area (e.g. with camera surveillance).
In addition, the Data Protection Authority has drawn up a list of types of processing for which the performance of a DPIA is mandatory before a processing operation starts. For all variants, it is your own responsibility to determine whether a DPIA is necessary.
Forvis Mazars can help you with
The IT Audit & Advisory team is happy to assist you in the run-up to determine whether a DPIA is necessary at all for your type of data processing. In addition, Forvis Mazars is keen to support you in the implementation of a DPIA. Performing a DPIA is not a one-off event, but an iterative and continuous process. You must continue to monitor whether your data processing changes. A DPIA may be mandatory if, for example, you are going to use a new technology or if you are going to use personal data for a different purpose.
Our approach meets the basic requirements set out in the AVG. Our approach is aimed at guaranteeing the DPIA within your organisation, which we have already refined during several investigations. This ensures that our advice is of lasting value to your organisation.