Data Protection Impact Assessment
The assessment for mitigating elevated privacy risks and demonstrating GDPR compliance within the scope of the DPIA.
Data Protection Impact Assessment
A data protection impact assessment (DPIA) is an operational risk analysis. Such an assessment is a snapshot of the status of privacy risks within the scope of the DPIA at the time which allows for further improvements. Performing a DPIA is not merely a judicial requirement; by responsibly processing personal data, it shows you are able to build trust, improve informational security, and become a more attractive business partner. With this service:
We support your organisation in identifying privacy risks in processes in scope and enabling you to act adequately on them, while also allowing you to continue to focus on your core business.
We are able to support you in the aftermath of the DPIA in implementing any necessary measures.
We deal with the matter of GDPR compliance for projects or changes in your process so you do not have to.
Combine building trust with complying to relevant privacy law
We blend both EU norms and best practices in our DPIA approach. This unites the best of both worlds: an adequate assessment of the risks and an adequate risk level. Performing desk research and conducting interviews with stakeholders allows us to assess the risks, advise measures, and understand your process. We deliver the results in the form of a pragmatic report for your privacy professionals to support your organisation—we shed light on privacy risks and, where necessary, remediation to stay in control.
Related Services
Security & Privacy Office
We run and maintain your security & privacy management based on your threats and business risks.
Security Roadmap
Adversary Simulation
Audit & Control Services
No resources?
Leave your Cyber security to us!
Frequently Asked Questions
Why should I do a State of Security Assessment?
Defining the state of security is the first step to improve information security. When taking adequate pragmatic measures you gain control over their risks. Northwave’s approach is more holistic than a ‘simple’ ISO 27001 gap analysis.
It provides an in-depth security maturity perspective. This assessment is key to have a state-of-the-art vision of the state of security (and therefore your security maturity). Besides this, it offers an overview of the risks and the necessary structural measures and quick wins to enhance information security in your company.
What is a state of security assessment?
The State Of Security Assessment, is an integral approach to identify the current state of security within a company. It allows you to evaluate your current level of security. The assessment will help you to evaluate your maturity security level. Typically, a State of Security Assessment is a way to get insights in the key steps to improve your organisation’s maturity. But it can also provide insight in your overal state after a cyber incident or show maturity for acquiring a cyber insurance.
How does a state of security assessment help increase the security of a company?
As part of the assessment, Northwave formulates an expert opinion and actionable advice with which you and your organisation can take the next steps to improve your information security. The result of the assessment is a combination of the insight in the potential risks exposure (the measure of potential future loss resulting from a specific activity or event), your current maturity on information security and a security roadmap that provide you the needed measures to reduce these risks and keep control.
The assessment and the actionable advice will be delivered in the form of report including a security roadmap. This roadmap is a strategic plan in the choices the you can take to reduce your risks or improve your maturity. We will present to results personally together with you towards your board of directors.
How can the findings be implemented?
With the roadmap and recommendations provided on all security aspects (Business, Bytes, Behaviour), the company receives pragmatic recommendations to structurally improve and remain in control of their information security. Some organisations do not have a dedicated security team or the resources to implement and run an ISMS (Information Security Management System), therefore Northwave offers the option of choosing for the SPO (Security and Privacy Office).
The Security and Privacy Office is an outsourced security team that implements and runs an ISMS. This is taken care of by a team that exists out of a security officer and a team of expert managing the security and privacy incidents.
Frequently Asked Questions
We can imagine that you have many questions. You can always contact us to learn more. Below are a few examples of questions that we can investigate further with you.
What is a DPIA?
A DPIA is an assessment that is designed to integrate privacy into a change you would like to make in the way you process personal data and which could possibly involve a high risk for the people the processing relates to. The DPIA supports the mapping of risks and the measures needed to mitigate those risks. This benefits you in regard to complying to privacy legislation and benefits your data subjects (people) because it demonstrates that you take their privacy well-being seriously.
What is personal data?
So, a DPIA relates to personal data, but what is personal data? Personal data directly or indirectly identifies an individual: the information states personal characteristics about an individual which lead you to (be able to) identify that individual.
For example: A bus is departing from platform one. There are three men on the bus. All the other ten passengers are female. A passenger on the bus describes a female passenger on that bus ride to a friend on the phone because the person looks familiar. The passenger states the following: female; green coat; red, curly hair; big nose; nose piercing. There is only one person who meets these criteria and the friend on the other end of the phone call is also able to identify this person. This means all the characteristics used to describe the female on the bus are personal data, even though no one directly states that Samantha with the big nose is on Bus 5.
When is a DPIA mandatory?
Based on the GDPR, a DPIA is mandatory when the processing activity potentially poses a high risk to the data subjects. But what is a high risk? There are some predefined criteria concerning this:
- Systematic and comprehensive assessment of personal aspects which is based on automated processing (including profiling) and on which decisions are based that have legal effects or similarly significantly affect the natural person.
- Large-scale processing of special personal data or criminal convictions and offences.
- Systematic and large-scale monitoring of publicly accessible spaces.
In addition to the above, supervisory authorities have further situations in which DPIAs are mandatory. Northwave has the expertise to help you assess whether a DPIA is mandatory based on the overviews of the European Data Protection Board and the national supervisory authorities.
Feel free to contact us for a non-binding check on your obligation to perform a DPIA.
When is a DPIA not mandatory?
A DPIA is not required when the data processing:
- will not likely result in a high privacy risk;
- is regulated by another European or national law and a DPIA was already carried out when this law was drafted (unless the supervisory authority decides that a DPIA is necessary after all);
- is on a list of processing operations for which a DPIA is not mandatory. The GDPR gives the supervisory authority the opportunity to draw up such a list, but this is not mandatory. The Dutch supervisory authority (Autoriteit Persoonsgegevens) has not (yet) drawn up such a list.
What are the risks of not executing a DPIA when it is mandatory?
Failure to perform a DPIA when it is mandatory or failure to perform a DPIA correctly may result in a number of negative consequences. One of the most important of those is reputational damage to your business because the failure to identify risks and mitigate those results in a data breach, complaints regarding the legitimacy of the processing activities, or another scenario that might be popping up in your head just now. Another possible consequence is an administrative fine of up to EUR 10 million or, in the case of a company, up to 2% of the total worldwide annual turnover of the previous financial year, whichever is higher.
We are here for you
Need help with your cyber security or wondering how secure your business really is?
Get in touch and we will help you find the best solution.