GDPR Data Protection Impact Assessments Tool - Res - Eng - 0917

GDPR Data Protection Impact Assessment (DPIA) Tool
A. Description of the Processing [Name of Enterprise Here] [Sample answers for fictional ABC Corporation]
(Article 35(7)(a)) Enter answers to questions / prompts in column A.
1. Nature, scope, context and purposes of the processing A network application used to monitor employee activities within ABC Corporation's physical and
(Recital 90): network facilities to ensure safety and compliance with legal and policy requirements
Data reflects:
1) employee activities around work stations
2) employee network activities (login/logout, applications used, associated
2. List of in-scope personal data items: dates/times/durations/locations, etc.)
2) internet activities (sites visited/duration of visits/IP addresses/dates/times/locations, etc.) made
through the company's network
3) phone calls (incoming/outgoing phone numbers/dates/times/durations/locations, etc.)
Data controllers: management whose job responsibilities require such data; IT support personnel
Data processors:
3. Recipients of personal data items (if not applicable, indicate * contracted physical safety/security vendor ACME Co.
N/A):
* contracted managed systems security vendor ABC Net Security
* contracted phone systems vendor XYZ Telco
Data will be stored as follows:

4. Period for which the personal data will be stored (e.g. in 1) Physical monitoring: for at least 6 months and in compliance with legal requirements
hours, days, weeks or years, etc.): 2) Network monitoring: for at least 1 year and in compliance with legal requirements
3) Phone calls: for at least 3 months and in compliance with legal requirements
The application was created in-house by company IT personnel. The application imports data from
three different vendors:
* Physical safety/security data, video, audio and photo files from vendor ACME Co. are collected
through an API from the ACME cloud-based system.
* Company systems-activity data are generated internally, via tools used by company IT personnel.
This data is combined with data collected through an API from systems-security vendor ABC Net
5. Functional description of the processing operation: Security.
* Company IT personnel created API to import data from contracted phone systems vendor XYZ
Telco.
* All data is then accessible through the company IT application, hosted within the company
network.
* Access to data files via the company application is based on minimum necessary privileges justified
by job responsibilities.
Copyright 2017 ISACA Page 1 of 27

A. Description of the Processing [Name of Enterprise Here] [Sample answers for fictional ABC Corporation]
(Article 35(7)(a)) Enter answers to questions / prompts in column A.
Functional assets related to personal data:

* Company network
* Computing devices attached to the company network
6. Processing or functional assets associated with in-scope * All software related to, and accessed by, the monitoring activities and supporting software and
personal data (e.g., hardware, software, networks, people,
hardware
paper or paper-transmission channels): * Personnel who need access to perform job duties, including but not limited to: IT tech support, HR,
information security, privacy, legal, audit, call center, associated data processors (ABC Net Security,
XYZ Telco, ACME Co.)
7. Compliance with the following approved codes of conduct

has been confirmed (Article 35(8)). Provide one of the
following answers:
YES, with AccreditationsRUs, an approved privacy-sector accreditation body
* Yes (list associated codes of conduct)
* No (list associated codes of conduct)
* Not Applicable (explain why)

ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks.
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These totals will indicate the compliance and maturity level of
satisfied. planned, please explain briefly. associated activities in your privacy management program.
D: Nothing has been done. * Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. (based upon the answers), along with any additional applicable
description or information.
Reference descriptions for A-D answers * Summary of risk and privacy harm mitigation actions planned.
A: Yes, we've completely addressed all points and are managing. Associated risks are sufficiently mitigated, or accepted and approved by management. *There
Additional
are noinformation to benefit
gaps with respect supervisory
to GDPR authorities, auditors
requirements.
B: We've mostly addressed the points but still have a few actions outstanding; then we plan to manage. A few risks remain to be mitigated or accepted; and/or
and/or management
there are a fewregarding each
gaps with privacy
respect principle
to GDPR result.
requirements.
C: We completed a few activities to address the points; but many remain to be addressed. Then we will manage. Most risks have not been mitigated, and/or most GDPR requirements are not satisfied.
D: We have not done anything to address the points. No risks have been explicitly addressed nor accepted.
NA: This does not apply to us.
SAMPLE ENTRY 1) Do you have documented and A We have the following safeguards in place: We have the following harm prevention controls in place: 1. Choice & Consent Summary
(For illustration enforced privacy and security * Documented policies and procedures detail how the data
only, using * Documented policies and procedures for the facility, can and cannot be used. a. Maturity & Risk Levels
policies (and supporting procedures) internet use and phone use monitoring. * Controls do not allow data to be shared to others without
sample data in to provide choices, where obtaining authorization for such sharing.
worksheet A.) appropriate, to data subjects # of Level A answers: 1
* Training for the policies and procedures. * Data is irreversibly deleted upon reaching the end of the
# of Level B answers:
regarding use of their personal data? retention date or legal requirement, whichever arrives first.
* Technology has been implemented within the surveillance * We have cyber liability insurance to cover personal data # of Level C answers: 1
1. Choice & systems to give notice to those within our facilities of the breaches. # of Level D answers:
Consent Is consent obtained before using # of NA answers: 1
surveilling activities. At the entrance to our facilities we give * We have documented and implemented breach response
personal information for specific notification that if the individual does not want to be plans in place.
purposes, as required by GDPR? surveilled they should not enter the facilities. b. Summary of Risk Levels, Risk Mitigation Plan & Compliance Corrective
Planned actions: Action Plan:
See GDPR Art. 6(1) * For the types of monitoring and surveillance implemented, None at this time.
no consent is necessary for entering the facilities or for * Technology has not yet been implemented to manage consents fully. The
monitoring network use to access the internet, as confirmed new privacy manager will be responsible for accomplishing this soon after he
with GDPR supervisory authorities. Personnel understand
starts working in this position (4 weeks from the date of this DPIA report).
these are conditions of employment.
* For the phone calls we give notice and obtain consent. Position/person(s)/team assigned: Chris Jones, Privacy officer
* Identification verification is obtained where necessary. c. Summary of Privacy Harm Risks & Harm Risk Mitigation Plan:
* Data is retained according to the information given in the * Technology has not yet been implemented to fully manage the consents.
Introduction. The new privacy manager will be responsible for accomplishing this soon
after he starts working in this position (4 weeks from the date of this DPIA
Planned actions: report).
None at this time.
Position/person(s)/team assigned: Chris Jones, Privacy officer
2) Are consents (once obtained) C We have the following safeguards in place: We have the following harm prevention controls in place:
* Documented policies and procedures for obtaining * Documented policies and procedures detail how the data d. Additional Information: The new privacy manager will be choosing a new
appropriately documented and
consents. can and cannot be used. system to automate the management of consents more effectively.
maintained? * Training for the policies and procedures. * Controls do not allow data to be shared to others without
* Technology not yet been implemented to fully manage the obtaining authorization for such sharing. We have hired a privacy manager to oversee the consents management.
Can consents be easily provided consents. The new privacy manager will be responsible for * Data is irreversibly deleted upon reaching the end of the That person will start in four weeks from the date on this DPIA. He will be
upon request by data subjects and/or accomplishing this. retention date or legal requirement, whichever arrives first. responsible for ensuring all requirements for question 2 are accomplished.
appropriate authorities?
Planned actions: Planned actions:
Overall, most risk is being sufficiantly mitigated and appropriately accepted
Implement technology to fully manage the consents. None at this time.
See GDPR Art. 7(1), Art. 7(2) where applicable; all GDPR requirements are being met for this Choice and
3) If the enterprise collects NA: We do not allow children within our facilities or to NA NA Consent Privacy Principle.
information from children younger use our networks.
than 16 years of age, have you
created and documented policies and
implemented processes to collect
parental consent as required by the
GDPR?
Provide descriptions, comments We have hired a privacy manager to oversee

and additional information for consents management. That person will start in
each associated column, as four weeks from the date on this DPIA. He will be
appropriate. responsible for ensuring all requirements for
question 2 are accomplished.

1. Choice & 1) Do you have documented and * Summary
1. Choice &ofConsent
risk and privacy
Summary harm mitigation actions planned.
Consent enforced privacy and security * Additional information to benefit supervisory authorities, auditors
policies (and supporting procedures) and/or
a. management
Maturity regarding each privacy principle result.
& Risk Levels
to provide choices, where
appropriate, to data subjects # of Level A answers:
regarding use of their personal data? # of Level B answers:
# of Level C answers:
2) Are consents
Is consent (once
obtained obtained)
before using # of Level D answers:
appropriately documented
personal information and
for specific # of NA answers:
maintained?
purposes, as required by GDPR?
b. Summary of Risk Levels, Risk Mitigation Plan & Compliance
Can
See consents
GDPR Art.be 6(1)
easily verified upon Corrective Action Plan:
request by data subjects and/or
appropriate authorities? Position/person(s)/team assigned:
See GDPR Art. 7(1), Art. 7(2) c. Summary of Privacy Harm Risks & Harm Risk Mitigation
3) If the enterprise collects Plan:
information from children younger
than 16 years of age, have you Position/person(s)/team assigned:
created and documented policies and
implemented processes to collect d. Additional Information:
parental consent as required by the
GDPR?
Provide descriptions, comments

and additional information for
each associated column, as
appropriate.
2. Legitimate 1) Do you have documented and 2. Legitimate Purpose Specification and Use Limitation
Purpose enforced privacy and security Summary
Specification policies (and supporting procedures)
and Use to collect only the personal data that a. Maturity & Risk Levels
Limitation are adequate, relevant and limited to
what is necessary in relation to the # of Level A answers:
purposes for which the data are # of Level B answers:
processed, in support of data- # of Level C answers:
minimization requirements? # of Level D answers:
# of NA answers:
See GDPR Art. 5(1)
2) Do you have documented and b. Summary of Risk Levels, Risk Mitigation Plan & Compliance
enforced privacy and security Corrective Action Plan:
policies (and supporting processes)
in place to ensure that personal data Position/person(s)/team assigned:
processing is lawful and necessary
given the purposes for which the c. Summary of Privacy Harm Risks & Harm Risk Mitigation
data were collected? Plan:
See GDPR Art. 6(1)(b) Position/person(s)/team assigned:
d. Additional Information:

Limitation
# of Level A answers:
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm # of LevelResults
Assessment D answers:for Privacy Principle
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions # of NA answers:
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will b.
eachSummary of Risk
row. Include theLevels, Riskpoints
following Mitigation Plan & Compliance
(as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks. Corrective Action Plan:
B: Mostly addressed, still a few gaps Position/person(s)/team assigned:
If no harm risk mitigation is planned, please principle.
satisfied. planned, please explain briefly. c. Summary
associated of Privacy
activities Harm
in your Risks
privacy & Harm Risk
management Mitigation
program.
D: Nothing has been done. Plan:
* Statement of risks and gaps for the associated privacy principle
Position/person(s)/team
description or information. assigned:
3) Do you have documented and * Summary of risk and privacy harm mitigation actions planned.
enforced privacy and security d. Additional
* Additional Information:
information to benefit supervisory authorities, auditors
policies (and supporting processes) and/or management regarding each privacy principle result.
in place to ensure that any intended
further processing will be reviewed,
and handled appropriately, prior to
such use (e.g., obtaining additional
data-subject consent, ensuring legal
compliance, etc.)?
See GDPR Art. 6(4)(a)

4) Do you have documented and
enforced privacy and security
policies (and supporting processes)
in place to ensure that the
processing and/or use of criminal
conviction personal data are subject
to the exclusive control of official
authorities, or authorized by union or
member state law?
See
5) GDPR
Have youArt. 10
determined and
documented situations to which the
right to object does not apply, and
implemented appropriate supporting
procedures?
See GDPR Art. 22(2)

6) Do the data protection officer job
responsibilities include consideration
of risks to personal data and the
associated harm risks to data
subjects so that purpose and use
limitation can be appropriately
considered?
See GDPR Art. 39(2)

appropriate.
3. Personal 1) Do you have documented and 3. Personal Information & Sensitive Information Life Cycle
Information enforced privacy and security Summary
and Sensitive policies (and supporting procedures)
Information to keep personal data for no longer a. Maturity & Risk Levels
Life Cycle than necessary to support the
purposes for which they were # of Level A answers:
collected, including legal and any # of Level B answers:
applicable public interest, scientific # of Level C answers:
and historic-research purposes? # of Level D answers:
# of NA answers:
See GDPR Art. 5(1)
Corrective Action Plan:
Position/person(s)/team assigned:
c. Summary of Privacy Harm Risks & Harm Risk Mitigation
Plan:
3. Personal to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions 3. Personal Information & Sensitive Information Life Cycle
Privacy
Information Impact Assessment below. For "NA", provide an explanation. Summary
Summarize findings for the privacy principle associated with
and Sensitive (DPIA) &
Principle See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include the following points (as applicable):
Information Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks. a. Maturity & Risk Levels
Life Cycle A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary totals of answers for questions associated to the privacy
B: Mostly addressed, still a few gaps # of Level A answers:
If no harm risk mitigation is planned, please principle.
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. # oftotals
These Level B indicate
will answers: the compliance and maturity level of
satisfied. planned, please explain briefly. # of Level
associated C answers:
activities in your privacy management program.
D: Nothing has been done. # of Level D answers:
* Statement of risks and gaps for the associated privacy principle
NA: This does not apply to us. # ofupon the
(based NA answers),
answers:along with any additional applicable
2) Do you have documented and b. Summary
* Summary of of
riskRisk
and Levels, Risk Mitigation
privacy harm Plan &planned.
mitigation actions Compliance
enforced privacy and security Corrective Action Plan:
* Additional information to benefit supervisory authorities, auditors
policies (and supporting procedures) and/or management regarding each privacy principle result.
to decide whether or not special Position/person(s)/team assigned:
categories of personal data, or
personal data related to criminal c. Summary of Privacy Harm Risks & Harm Risk Mitigation
convictions/offences, have been used Plan:
beyond the original purposes for
which they were collected? Position/person(s)/team assigned:
See GDPR Art. 6(4) d. Additional Information:

policies (and supporting procedures)
to determine whether the following
types of personal data are collected
(and/or processed) under relevant
exemptions provided within GDPR, or
if such processing needs to be
prohibited?
a) data revealing racial or ethnic

origin, political opinions, religious or
philosophical beliefs, or trade-union
membership
b) genetic data
c) biometric data for the purpose of
uniquely identifying a natural person
d) data concerning health
e) data concerning a natural person's
sex life or sexual orientation
See GDPR Art. 9(1)

that allow data subjects to be
removed from using their personal
data for direct marketing purposes
whenever they request to be
removed from such communications?
See GDPR Art. 21(3)

that require implementation of
appropriate technical and
organizational measures to ensure
that, by default, only personal data
which are necessary for each specific
processing purpose are actually
processed?
See GDPR Art. 25(2)

enforced privacy and security * Additional information to benefit supervisory authorities, auditors
to perform reviews, when necessary,
that determine whether processing is
performed in accordance with the
data protection impact assessment,
whenever the risk represented by
processing operations changes?
See GDPR Art. 35(11)

that document the legal derogations
from GDPR rights for the use of
personal data processed for scientific
or historical research purposes or
statistical purposes?
See GDPR Art. 89(2)

appropriate.
4. Accuracy 1) Do you have documented and 4. Accuracy and Quality Summary
and Quality enforced privacy and security
policies (and supporting procedures) a. Maturity & Risk Levels
to ensure that personal data are kept
accurate and up to date, as # of Level A answers:
necessary, and to correct personal # of Level B answers:
data errors without delay? # of Level C answers:
# of Level D answers:
See GDPR Art. 5(1) # of NA answers:
and additional information for b. Summary of Risk Levels, Risk Mitigation Plan & Compliance
each associated column, as Corrective Action Plan:
appropriate.
5. Openness, 1) Do you have documented and 5. Openness, Transparency and Notice Summary
Transparency enforced privacy and security
a. Maturity & Risk Levels
and Notice policies (and supporting procedures)
to ensure that personal data are # of Level A answers:
collected for clearly specific and # of Level B answers:
legitimate purposes; not used for # of Level C answers:
processing purposes other than # of Level D answers:
# of NA answers:
those stated or as defined by GDPR;
and are processed fairly, b. Summary of Risk Levels, Risk Mitigation Plan & Compliance Corrective
transparently and in compliance with Action Plan:
applicable legal requirements?
See GDPR Art. 5(1)
c. Summary of Privacy Harm Risks & Harm Risk Mitigation Plan:

5. Openness, 5. Openness, Transparency and Notice Summary
Transparency Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment Results
ISACA GDPR Data Protection a. Maturity & Risk Levelsfor Privacy Principle
and Notice to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize
# of Level Afindings
answers: for the privacy principle associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will # ofrow.
each LevelInclude
B answers:
the following points (as applicable):
Gap Analysis Questions reference box below. take to mitigate identified security risks take to mitigate identified harm risks. # of Level D answers:
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary
# of totals of answers for questions associated to the privacy
NA answers:
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. These
b. totalsofwill
Summary Riskindicate
Levels,the
Riskcompliance and &
Mitigation Plan maturity levelCorrective
Compliance of
satisfied. planned, please explain briefly. Action Plan: activities in your privacy management program.
associated
description
c. Summary of or Privacy
information.
Harm Risks & Harm Risk Mitigation Plan:
Position/person(s)/team
* Additional information to assigned:
benefit supervisory authorities, auditors
policies (and supporting procedures and/or management regarding each privacy principle result.
and processes) to communicate to
data subjects their rights, notices,
and answer their questions and
provide information to them relating
to data processing, in a manner that
is clear, easy to understand, and age
appropriate to the data subject?
See GDPR Art. 12(1)

policies (and supporting procedures
and processes) to provide, at the
time personal data are obtained from
data subjects, all necessary
information elements, such as the
data subject’s rights; how to restrict
use of their associated personal
data; how to retract consents for
personal data use, etc., as required
by GDPR; as well as to ensure fair
and transparent processing?
See GDPR Art. 13(1), Art. 13(2),

Art. 14(2), Art. 21(4)
and processes) to provide the data
subject with information describing
any additional purposes for which
previously collected personal
information will be used and other
relevant information, prior to further
processing?
See
5) DoGDPR Art.documented
you have 13(3), Art. and
14(4)
and processes) to inform data
subjects of the safeguards applied
when personal data are transferred
to a third country or to an
international organization?
See GDPR Art. 15(2)

appropriate.

6. Individual 1) Do you have documented and * Summary
6. Individual of risk and privacy
Participation harm mitigation actions planned.
Summary
Participation enforced privacy and security * Additional information to benefit supervisory authorities, auditors
a. Maturity & Risk Levels
and/or management regarding each privacy principle result.
and easy-to-use processes) that # of Level A answers:
allow data subjects to withdraw # of Level B answers:
consent to use their associated # of Level C answers:
personal data at any time (including # of Level D answers:
# of NA answers:
personal data used in partnership
with other controllers), as long as the b. Summary of Risk Levels, Risk Mitigation Plan & Compliance Corrective
withdrawal does not result in legal Action Plan:
violations about which you have
informed the data subjects? Position/person(s)/team assigned:
c. Summary of Privacy Harm Risks & Harm Risk Mitigation Plan:

See GDPR Art. 7(3), Art. 26(3)
enforced privacy and security d. Additional Information:
and easy-to-use processes) in
partnership with any other joint
controllers to ensure that a data
subject whose identity has been
verified can exercise his or her rights
to request access to; information
about; corrections to;
deletion/destruction (erasure) of; or
restrictions on associated personal
data in compliance with the timing,
costs, and format of information
delivery requirements mandated by
the GDPR? And do these include
processes to provide documented
reasons for denying requests?

Art. 12(4), Art. 12(5), Art. 12(6),
Art. 14(3), Art. 16, Art. 17, Art.

and easy-to-use processes) to allow a
data subject whose identity has been
verified to obtain confirmation
regarding whether or not personal
data are being processed (including
personal data used in partnership
with other controllers), and when
that is the case, to provide the data
subject access to the associated
personal data, including information
concerning the purposes; categories;
recipients; retention periods; rights
for deletion and registering
complaints; ability to restrict
personal data processing where
feasible and legal, with notices when
the restrictions are lifted; and data
source details where possible, in
compliance with GDPR requirements?
See GDPR Art. 15(1), Art. 18, Art.

and easy-to-use processes) to
provide a copy of personal data that
are not used in the public interest or
by official authorities, which copy
shall be processed upon request by
the data subject, without prejudice;
delivered in a commonly used digital
format, along with additional copies
as requested; for a reasonable fee
where the fee is based on actual
administrative costs?

and easy-to-use processes) that
enable data subjects to object to the
use of their personal data for direct-
marketing and profiling purposes,
including those that result in
decisions or circumstances affecting
the associated data subject legally?

and easy-to-use processes) to enable
data subjects to contact the data
protection officer for any issue
related to processing of their
personal data or to the exercise of
their rights under GDPR?
See GDPR Art. 38(4)

appropriate.
7. 1) Do you have documented and 7. Accountability Summary
Accountability enforced privacy and security
that detail:
a) the acceptable legal basis for # of Level B answers:
processing personal data, as required # of Level C answers:
by union or member state law; and # of Level D answers:
b) the procedure by which an # of NA answers:
enterprise determines whether
processing for another purpose is b. Summary of Risk Levels, Risk Mitigation Plan & Compliance
compatible with the original purpose Corrective Action Plan:
for collecting the personal data
(taking into account the context in Position/person(s)/team assigned:
which the personal data were
collected and in particular regarding c. Summary of Privacy Harm Risks & Harm Risk Mitigation
the relationship between data Plan:
subjects and the enterprise), as
required by GDPR? Position/person(s)/team assigned:
See GDPR Art. 6(1), Art. 6(3), d. Additional Information:

ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm # of
Assessment NA answers:
Results for Privacy Principle
Privacy Impact Assessment below. For "NA", provide an explanation. b. Summaryfindings
Summarize of Risk Levels,
for the Risk Mitigation
privacy Plan
principle & Compliance
associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will Corrective Action Plan:
each row. Include the following points (as applicable):
A: Completely addressed, no gaps and/or GDPR compliance gaps. Position/person(s)/team
* Summary assigned:
totals of answers for questions associated to the privacy
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. c. Summary of Privacy Harm Risks
These totals will indicate the compliance& and
Harm Risk Mitigation
maturity level of
satisfied. planned, please explain briefly. Plan:
associated activities in your privacy management program.
NA: This does not apply to us. Position/person(s)/team
(based assigned:
upon the answers), along with any additional applicable
2) Do you have documented and d. Additional Information:
* Summary of risk and privacy harm mitigation actions planned.
that detail:
a) requirements for establishing the

data protection officer
responsibilities;
b) the tasks for which the data
protection officer will be responsible,
in compliance with the GDPR; and
c) the measures in place to ensure
that the person(s) fulfilling the role
are appropriately qualified and
knowledgeable of data protection
legal requirements and are either a
member of the enterprise, a
contracted entity or from a processor
that the enterprise has engaged?
See GDPR Art. 37(1); Art. 37(2);

Art. 37(3); Art. 37(4), Art. 37(5),
enforced privacy policies (and
supporting procedures) to ensure
that in the event personal data are
not obtained from the data subject,
the enterprise provides the data
subject with the following
information:
a) identity and contact details of the

controller;
b) contact details of any applicable
data protection officer;
c) documentation of the purposes
and legal basis for personal data
processing;
d) documentation of the categories
of personal data concerned;
e) lists of recipients (or categories of
recipients) of the personal data, if
any;
f) records of intention to transfer
personal data to a recipient in a third
country or international organization,
where applicable;
g) the existence or absence of an
adequacy decision by the
Commission; and
h) records of existing safeguards and
the means to obtain a copy of them?

to ensure that:
a) within the enterprise and among

all processors, the authority of the
data protection officer is understood
and acknowledged;
b) the data protection officer is
involved in all issues regarding
personal data;
c) all executives, including those at
the highest level, not only provide
clear support for the data protection
officer but also provide the resources
necessary (including knowledge and
training) to discharge the position's
responsibilities;
d) the data protection officer is not
penalized for performing duties or
maintaining necessary
confidentiality; and
e) the data protection officer is also
tasked with other responsibilities in
addition to those of being data
protection officer, as appropriate and
reasonable given the business
environment?
to ensure that the enterprise
consults the appropriate supervisory
authority and provides information
(including responsibilities of the
controller, purposes and means of
processing, safeguards implemented,
protections against privacy harms,
etc.), as required by the GDRP, prior
to processing, whenever a data
protection impact assessment
indicates that the processing would
result in a high risk in the absence of
measures taken to mitigate the risk?

for the enterprise to designate in
writing:
a) a representative in the union;

b) the ways in which the enterprise
will demonstrate compliance with
GDPR requirements (i.e., following
approved codes of conduct,
approved certification mechanisms,
etc.); and
c) the mandate for the data
protection officer to provide training
and awareness messages directing
the enterprise and its employees to
comply with GDPR requirements?

Art. 32(3), Art. 39(1)
appropriate.
8. Security 1) Do you have documented and 8. Security Safeguards Summary
Safeguards enforced privacy and security
to ensure:
a) that appropriate safeguards are # of Level B answers:
implemented to secure personal # of Level C answers:
data, including protections against # of Level D answers:
unauthorized or unlawful processing # of NA answers:
and against accidental loss,
destruction or damage; and b. Summary of Risk Levels, Risk Mitigation Plan & Compliance
b) that appropriate technical and/or Corrective Action Plan:
organizational measures are applied
when personal data are used for Position/person(s)/team assigned:
purposes other than that for which
the data was initially collected (e.g., c. Summary of Privacy Harm Risks & Harm Risk Mitigation
encryption, access controls, Plan:
pseudonymization, documented
policies, training, log reviews, etc.)? Position/person(s)/team assigned:
See GDPR Art. 5(1), Art. 24(2), d. Additional Information:

ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm # of
Assessment NA answers:
Results for Privacy Principle
Privacy Impact Assessment below. For "NA", provide an explanation. b. Summaryfindings
Summarize of Risk Levels,
for the Risk Mitigation
privacy Plan
principle & Compliance
associated with
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will Corrective Action Plan:
each row. Include the following points (as applicable):
A: Completely addressed, no gaps and/or GDPR compliance gaps. Position/person(s)/team
* Summary assigned:
totals of answers for questions associated to the privacy
C: Addressed a few, most GDPR requirements not If no security risk or gap mitigation is explain briefly. c. Summary of Privacy Harm Risks
These totals will indicate the compliance& and
Harm Risk Mitigation
maturity level of
satisfied. planned, please explain briefly. Plan:
associated activities in your privacy management program.
NA: This does not apply to us. Position/person(s)/team
(based assigned:
upon the answers), along with any additional applicable
2) Do you have documented and d. Additional Information:
* Summary of risk and privacy harm mitigation actions planned.
to assess the likelihood of privacy
harms to data subjects in the event
of:
a) unauthorized access, sharing or

use of personal data; and
b) unauthorized or accidental
destruction, loss, or alteration or
personal data?
Do you have documented and

to implement appropriate technical
and organizational measures that
ensure a level of security for the
personal data appropriate to the
personal harm risk, including, as
appropriate:
a) such controls as
pseudonymization and/or encryption;
b) such procedures to establish
confidentiality, integrity, availability
and resilience of processing systems
and services, data backup and
recovery;
3) Do you and
have documented and
to obtain authorization, when
applicable, from the competent
supervisory authority for appropriate
safeguards for personal data, by
means of:
a) contractual clauses between the

controller or processor and the
controller, processor or the recipient
of personal data in a third country or
international organization;
b) and/or provisions in administrative
arrangements between public
authorities or bodies which include
enforceable and effective data
subject rights?
See GDPR Art. 46(3)

appropriate.

9. Monitoring, 1) Do you have documented and * Summary
9. of risk
Monitoring, and privacy
Measuring & harm mitigation
Reporting actions planned.
Summary
Measuring and enforced policies (and supporting * Additional information to benefit supervisory authorities, auditors
Reporting procedures) that specify what reports and/or
a. management
& Risk Levels
and/or tasks are the responsibility of
the data protection officer, including: # of Level A answers:
a) monitoring compliance (including # of Level C answers:
compliance of data processors with # of Level D answers:
requirements); # of NA answers:
b) training staff;
c) ensuring performance of privacy- b. Summary of Risk Levels, Risk Mitigation Plan & Compliance
compliance audits; Corrective Action Plan:
d) ensuring performance of DPIAs;
e) cooperating with data protection Position/person(s)/team assigned:
authorities; and
f) providing additional reports and c. Summary of Privacy Harm Risks & Harm Risk Mitigation
monitoring, as appropriate? Plan:
See GDPR Art. 39(1) Position/person(s)/team assigned:
enforced policies (and supporting
procedures) to provide reports for
data subjects (at specified times;
upon their request as appropriate;
and reflecting all components
required by GDPR), including:
a) personal data-breach notifications;

b) reports regarding correction of
personal data erasure and/or
incorrect personal data;
c) reports showing the content of
personal data associated to the
subject;
d) reports showing the personal data
associated to the subject that the
enterprise has shared with others,
including the reasons for such
sharing; and
e) full digital copies of personal data
transmitted directly to another data
controller in support of data
portability requirements.
See GDPR Art. 17, Art. 19, Art.

20(1), Art. 20(2), Art. 34(2)

enforced policies (and supporting * Additional information to benefit supervisory authorities, auditors
procedures) that will trigger data and/or management regarding each privacy principle result.
protection impact assessments
(DPIAs) in accordance with the GDPR,
generally in the following situations:
a) when processing personal data

using new technologies and systems;
b) when requested by management
or determined to be necessary by the
c) when required for automated
processing and decision making,
including profiling systems;
d) when processing large amounts of
special categories of personal data or
personal data related to criminal
convictions and offences;
e) whenever systems monitor
publicly accessible areas on a large
scale;
f) whenever processing operations
involve personal data; and
g) whenever monitoring data
subjects?

Art. 35(3), Art. 35(6)
procedures) governing the content
required in DPIA reports, as
mandated by the GDPR, including:
a) a systematic description of the

processing operations, purposes and
legitimate interest pursued by your
enterprise when applicable;
b) an assessment of the necessity
and proportion of processing
operations in relation to purposes;
c) an assessment of the risks to the
rights and freedoms related to the
data; and
d) an assessment of the measures
necessary to mitigate risks
(including, for example, safeguards,
security measures and mechanisms
to protect personal data and
demonstrate compliance with the
GDPR)?
See GDPR Art. 35(7)

procedures) to provide appropriate and/or management regarding each privacy principle result.
supervisory authorities with contact
information for the data protection
officer and reports regarding
breaches of personal data security,
reflecting all components required by
the GDPR?

procedures) to maintain a record of
processing activities involving
personal data that includes:
a) the name and contact details for

your enterprise and, where
applicable, such details for any joint
controller's representative and/or
b) the purposes for processing
personal data;
c) a description of the categories of
data subjects and of the categories
of personal data involved in the
processing;
d) the categories of recipients to
whom the personal data have been
or will be disclosed, including
recipients in third countries or
international organizations;
e) transfers of personal data to a
third country or an international
organization, where applicable,
including the identification of that
third country or international
organization and documentation of
associated safeguards; and
f) where possible, the established

procedures) that specify the written and/or management regarding each privacy principle result.
reports required of your processors,
including:
a. the name and contact details for

the processor(s) and for each
controller on behalf of which the
processor is acting, and, where
applicable, such details for the
controller's or processor's
representative and data protection
officer;
b. the categories of processing
carried out on behalf of each
controller;
c. transfers of personal data to a
third country or an international
organization, where applicable,
including the identification of that
third country or international
organization and documentation of
suitable safeguards?
procedures) governing the use of,
and responsibilities relating to,
binding corporate rules, including:
a. how the information on binding

corporate rules is provided to the
data subjects;
b. tasks for which data protection
officers are responsible concerning
compliance with binding corporate
rules;
c. mechanisms for ensuring
verification of compliance with
binding corporate rules (e.g., data
protection audits);
d. communication of results of
compliance audits to appropriate
entities and authorities;
e. mechanisms ensuring cooperation
with supervisory authorities
regarding compliance;
f. mechanisms for reporting to the
competent supervisory authority any
legal requirements to which a
member of the group of undertakings
(or group of enterprises engaged in a
joint economic activity) is subject in
a third country, whenever such

Provide descriptions, comments * Summary of risk and privacy harm mitigation actions planned.
and additional information for * Additional information to benefit supervisory authorities, auditors
each associated column, as and/or management regarding each privacy principle result.
appropriate.
10. Preventing 1) Do you have documented data 10. Preventing Harm Summary
Harm subject harm-prevention policies
(and supporting procedures) that a. Maturity & Risk Levels
specify how to determine whether
personal data processing (including # of Level A answers:
processing for purposes other than # of Level B answers:
that for which the personal data was # of Level C answers:
initially collected) is lawful because: # of Level D answers:
# of NA answers:
a) the associated data subject
provided explicit consent; b. Summary of Risk Levels, Risk Mitigation Plan & Compliance
b) it is necessary to fulfill the Corrective Action Plan:
contract with the data subject;
c) it is necessary for legal Position/person(s)/team assigned:
compliance;
d) it is necessary to protect vital c. Summary of Privacy Harm Risks & Harm Risk Mitigation
interests of the data subject or other Plan:
natural persons;
e) it is necessary for public interest Position/person(s)/team assigned:
or exercising official authority; or
f) it is necessary to support d. Additional Information:
legitimate interests of your
enterprise that do not infringe upon
the data subject’s rights?
Do you have documented data

subject harm-prevention policies
(and supporting procedures) that
specify possible consequences to
data
2) Dosubjects
you havefordocumented
any further data
subject harm prevention policies
outline how to ensure decisions
relating to data subjects must not be
made based on special categories of
personal data unless specific
safeguards have been implemented?
See GDPR Art. 22(4)

3) Do you have documented data * Summary of risk and privacy harm mitigation actions planned.
subject harm-prevention policies * Additional information to benefit supervisory authorities, auditors
(and supporting procedures) that and/or management regarding each privacy principle result.
specify the rights of data subjects to
request removal of their personal
data from automated processing and
profiling in situations that could
result in adverse legal effects or
harms to them, and also to specify
the actions (and associated contact
methods) your enterprise can take to
obtain the views of data subjects (or
their legal representatives) about the
intended processing?
4) If you are in a member state, do

you have documented data subject
harm-prevention policies (and
supporting procedures) relating to
the use of information from churches
and religious associations and
communities?
See GDPR Art. 91(1)

5) Do you have documented data
(and supporting procedures) to
ensure that data subjects who
exercise their rights for changing
how their personal data are used;
request copies of personal data;
and/or exercise other rights under
GDPR do not adversely affect the
rights and freedoms of others?
See
you have 15(4), Art. data
20(4)
provide technical and organizational
measures that ensure respect for the
principle of data minimization, as
detailed within GDPR, whenever
personal data are used for:
a) archiving purposes in the public

interest;
b) scientific or historical research
purposes; or
c) statistical purposes?
See GDPR Art. 89(1)

Provide descriptions, comments * Summary of risk and privacy harm mitigation actions planned.
and additional information for * Additional information to benefit supervisory authorities, auditors
each associated column, as and/or management regarding each privacy principle result.
appropriate.
11. Third- 1) Do you have documented third- 11.Third-party/Vendor Management Summary
party/Vendor party / vendor management policies
Management (and supporting procedures) to a. Maturity & Risk Levels
ensure that your enterprise will not
use processors unless: # of Level A answers:
a) they provide sufficient guarantees # of Level C answers:
and verified proof that they have # of Level D answers:
implemented appropriate technical # of NA answers:
and organizational (physical and
administrative) measures and b. Summary of Risk Levels, Risk Mitigation Plan & Compliance
controls that meet GDPR Corrective Action Plan:
requirements and support data
subject rights; Position/person(s)/team assigned:
b) the data protection officer or
equivalent provides written c. Summary of Privacy Harm Risks & Harm Risk Mitigation
authorization to use the processor; Plan:
and
c) that the processor contractually Position/person(s)/team assigned:
agrees to notify your organization
whenever adding or removing other d. Additional Information:
processors?
2) Do you have documented third-
party / vendor management policies
specify the type of documented
contract (in hard copy and/or digital
form), or other legal act under union
or member-state law, binding on the
processor with regard to your
enterprise, that set out:
a) the subject-matter and duration of

the processing;
b) the nature and purpose of the
processing;
c) the types of personal data,
categories of data subjects and the
eight categories of obligations
required under GDPR;
d) the obligation to notify your
organization of any violations,
anticipated changes in the
obligations and the rights of your
enterprise to verify such
requirements?

3) Do you have documented third- * Summary of risk and privacy harm mitigation actions planned.
party / vendor management policies * Additional information to benefit supervisory authorities, auditors
and supporting procedures that and/or management regarding each privacy principle result.
detail the actions that processors
must take in the event they engage
other processors to carry out specific
processing activities that are part of
the activities your organization had
contracted the processor to perform,
and ensure such subcontracting
includes the same requirements that
the processor agreed to within the
contract they have with your
organization, including the
verification of the proof of
implementation and existence of
those requirements, in addition to
proof of compliance with any
involved code of conduct and
certification requirements, and
makes clear the processor working
directly with your organization
remains fully liable for the
performance of all obligations?
4) Do you have documented third-

party / vendor management policies
specify the steps your organization
must take to ensure natural persons
acting under the authority of your
organization (and those of your
processors that have access to
personal data) follow:
a) all personal data policies and

procedures;
b) instructions provided by your
organization or the processor for
which the natural persons work; and
c) all associated rules and any
requirements established by union or
member state law?
See GDPR Art. 32(4), Art. 29

appropriate.

12. Breach 1) Do you have documented personal * Summary
12. Breachof risk and privacy
Management harm mitigation actions planned.
Summary
Management data breach policies (and supporting * Additional information to benefit supervisory authorities, auditors
procedures) that include and/or
a. management
& Risk Levels
requirements for:
a) notifying appropriate supervisory # of Level B answers:
authorities of the breach in a timely # of Level C answers:
manner, and with reasons provided # of Level D answers:
for any delays; # of NA answers:
b) notifying data subjects of high risk
breaches (as defined by GDPR) no b. Summary of Risk Levels, Risk Mitigation Plan & Compliance
later than 72 hours after discovery of Corrective Action Plan:
a breach, if it is determined
(following documented procedures Position/person(s)/team assigned:
for performing harm risk analysis)
that the personal data breach will c. Summary of Privacy Harm Risks & Harm Risk Mitigation
result in privacy harm to the Plan:
associated data subjects; and
c) including all items necessary Position/person(s)/team assigned:
within the notice as required by
GDPR? d. Additional Information:

Art. 33(3), Art. 33(4), Art. 34(1),
appropriate.
13. Security 1) Do you have documented and 13. Security and Privacy by Design Summary
and Privacy by enforced policies (and supporting
Design procedures) to build security and a. Maturity & Risk Levels
privacy protections into the full
lifecycle of automated decision- # of Level A answers:
making processes involving personal # of Level B answers:
data; to safeguard the data subject's # of Level C answers:
rights, freedoms and legitimate # of Level D answers:
interests; to enable human # of NA answers:
intervention by your enterprise (as
the controller); to allow the b. Summary of Risk Levels, Risk Mitigation Plan & Compliance
associated data subjects to include Corrective Action Plan:
their points of view about the
associated decisions; and to allow Position/person(s)/team assigned:
the data subjects to contest the
decisions? c. Summary of Privacy Harm Risks & Harm Risk Mitigation
Plan:

and Privacy by
Design a. Maturity & Risk Levels
ISACA GDPR Data Protection Which of the following answers best applies Associated Personal Data Security Risk & Associated Data Subject Privacy Harm Assessment
# of LevelResults for Privacy Principle
B answers:
to your enterprise? Please enter a letter GDPR Mitigation Safeguards Actions Risk-mitigation Actions # of Level C answers:
Privacy Impact Assessment below. For "NA", provide an explanation. Summarize
# of Levelfindings for the privacy principle associated with
D answers:
Principle (DPIA) & See full descriptions for each letter in List or describe actions the enterprise will List or describe actions the enterprise will each row. Include
# of the following points (as applicable):
NA answers:
A: Completely addressed, no gaps and/or GDPR compliance gaps. * Summary
b. Summary totals of answers
of Risk Levels,for questions
Risk associated
Mitigation Plan &to Compliance
the privacy
B: Mostly addressed, still a few gaps If no harm risk mitigation is planned, please Corrective
principle. Action Plan:
satisfied. planned, please explain briefly. associated activities in your privacy
Position/person(s)/team management program.
assigned:
NA: This does not apply to us. (based
c. upon the
Summary answers),Harm
of Privacy alongRisks
with any additional
& Harm Riskapplicable
Mitigation
Plan:
enforced policies (and supporting * Additional information to benefit
Position/person(s)/team supervisory authorities, auditors
assigned:
procedures) to assess (or otherwise and/or management regarding each privacy principle result.
take into account) the risks d. Additional Information:
associated with the nature, scope,
context and purposes of processing
personal data, and the associated
likelihood and severity of harms for
data subjects, and then to design,
build and implement appropriate
technical, administrative and
physical security and privacy
controls, supported by documented
privacy principles (e.g., the ISACA
Privacy Principles, and/or IEEE
privacy standards, etc.), to
appropriately mitigate those harms
to the extent possible in compliance
with GDPR and to protect the rights
of data subjects?
appropriate.
14. Free Flow 1) Do you have documented and 14. Free Flow of Information and Legitimate Restriction
of Information enforced policies (and supporting Summary
and procedures) to contact the
Legitimate appropriate supervisory authority, a. Maturity & Risk Levels
Restriction using the associated established
consistency mechanism, to approve # of Level A answers:
binding corporate rules to ensure # of Level B answers:
they are legally binding; include all # of Level C answers:
necessary and appropriate data # of Level D answers:
protections; are consistently # of NA answers:
enforced; provide all legally required
data subject rights; and fulfill GDPR b. Summary of Risk Levels, Risk Mitigation Plan & Compliance
requirements? Corrective Action Plan:
See GDPR Art. 47(1), Art. 47(2) Position/person(s)/team assigned:

Plan:

14. Free Flow 14. Free Flow of Information and Legitimate Restriction
of Information Summary
and
Legitimate a. Maturity & Risk Levels
Privacy
Restriction Impact Assessment below. For "NA", provide an explanation. Summarize findings for the privacy principle associated with
# of NA answers:
Corrective Action Plan:
enforced personal data-transfer * Additional information to benefit supervisory authorities, auditors
policies (and supporting procedures), and/or management regarding each privacy principle result.
Plan:
which, in the absence of adequacy
decisions and binding corporate Position/person(s)/team assigned:
rules, provide a process to transfer
personal data only under one of the d. Additional Information:
seven conditions listed within the
GDPR, and only if:
a) the transfer is not repetitive;

b) concerns only a limited number of
data subjects;
c) is necessary for purposes or
compelling legitimate interests
pursued by the controller, which
purposes are not overridden by the
interests, rights and freedoms of the
data subject;
d) your enterprise has implemented
safeguards to appropriately mitigate
the security risks associated with all
circumstances surrounding the data
transfer; and
e) your enterprise delivered
information to the appropriate
supervisory authority regarding the
transfer?
See
you have 49(1) and
enforced personal data transfer
that include steps to follow for
transferring personal data to a third
country or to an international
organization only after certain
conditions have been validated in
accordance with all onward-transfer
requirements within the GDPR,
including: adequacy, international
agreement, verified existence of
appropriate safeguards, enforceable
data subject rights, and available
effective legal remedies?
See GDPR Art. 44, Art. 45, Art.

46(1), Art. 48

enforced personal data policies (and * Additional information to benefit supervisory authorities, auditors
supporting procedures) to support and/or management regarding each privacy principle result.
lawful processing that:
a) occurs without data subject

consent and/or notice, and in specific
situations where the data subject has
objected; but
b) supports legitimate and
documented public-interest, official
authority, scientific, and historical-
research purposes?

enforced data security policies (and
supporting procedures) to implement
personal data transfer safeguards, as
applicable for each situation, under
legal agreements with public
authorities; binding corporate rules;
standard data-protection clauses
from the Commission or applicable
supervisory authority; approved
codes of conduct; or approved
certification mechanisms, as detailed
within the GDPR?
See GDPR Art. 46(2)

appropriate.

GDPR Data Protection Impact Assessments Tool - Res - Eng - 0917

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

GDPR Data Protection Impact Assessments Tool - Res - Eng - 0917

Caricato da

Copyright:

Formati disponibili

GDPR Data Protection Impact Assessment (DPIA) Tool

Data will be stored as follows:

Copyright 2017 ISACA Page 1 of 27

Functional assets related to personal data:

7. Compliance with the following approved codes of conduct

Copyright 2017 ISACA Page 2 of 27

Provide descriptions, comments We have hired a privacy manager to oversee

Copyright 2017 ISACA Page 3 of 27

Provide descriptions, comments

See GDPR Art. 6(1)(b) Position/person(s)/team assigned:

Copyright 2017 ISACA Page 4 of 27

See GDPR Art. 6(4)(a)

See GDPR Art. 22(2)

See GDPR Art. 39(2)

See GDPR Art. 6(4) d. Additional Information:

a) data revealing racial or ethnic

See GDPR Art. 9(1)

See GDPR Art. 21(3)

See GDPR Art. 25(2)

See GDPR Art. 35(11)

See GDPR Art. 89(2)

Copyright 2017 ISACA Page 7 of 27

See GDPR Art. 12(1)

See GDPR Art. 13(1), Art. 13(2),

See GDPR Art. 15(2)

Copyright 2017 ISACA Page 8 of 27

c. Summary of Privacy Harm Risks & Harm Risk Mitigation Plan:

See GDPR Art. 12(2), Art. 12(3),

Copyright 2017 ISACA Page 9 of 27

See GDPR Art. 15(1), Art. 18, Art.

See GDPR Art. 15(3), Art. 20(3)

See GDPR Art. 21(2), Art. 22(1)

Copyright 2017 ISACA Page 10 of 27

See GDPR Art. 38(4)

See GDPR Art. 6(1), Art. 6(3), d. Additional Information:

Copyright 2017 ISACA Page 11 of 27

a) requirements for establishing the

See GDPR Art. 37(1); Art. 37(2);

a) identity and contact details of the

Copyright 2017 ISACA Page 12 of 27

a) within the enterprise and among

See GDPR Art. 36(1), Art. 36(3)

Copyright 2017 ISACA Page 13 of 27

a) a representative in the union;

See GDPR Art. 27(1), Art. 24(3),

See GDPR Art. 5(1), Art. 24(2), d. Additional Information:

Copyright 2017 ISACA Page 14 of 27

a) unauthorized access, sharing or

Do you have documented and

a) contractual clauses between the

See GDPR Art. 46(3)

Copyright 2017 ISACA Page 15 of 27

See GDPR Art. 39(1) Position/person(s)/team assigned:

a) personal data-breach notifications;

See GDPR Art. 17, Art. 19, Art.

Copyright 2017 ISACA Page 16 of 27

a) when processing personal data

See GDPR Art. 35(1), Art. 35(2),

a) a systematic description of the

See GDPR Art. 35(7)

Copyright 2017 ISACA Page 17 of 27

See GDPR Art. 37(7), Art. 33(5)

a) the name and contact details for