Managing Risk to Data Subjects’ Personal Data
Updated as of: September 19, 2019
Pursuant to Article 35 of the General Data Protection Regulation (“GDPR”), Preemptive Love Coalition, a U.S. registered 501(c)3 charitable organization [*corporate name] (“Preemptive Love Coalition,” “we,” “us,” or “our”), has implemented the following guidelines and policy for conducting Data Protection Impact Assessments (“DPIA(s)”).
The GDPR describes the content of an acceptable DPIA in Article 35(7) as follows:
(a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
A DPIA is:
- A tool or process used to assist in identifying and minimizing the privacy risks of new projects, systems, or policies; and/or
- A type of impact assessment by which we conduct an audit of Preemptive Love Coalition’s processes to see how these processes affect or could compromise the privacy of the individuals from the European Economic Area, whose personal data is held, collected, and/or processed by Preemptive Love Coalition, such as the personal data of customers, website visitors, employees, contractors, etc. (each a “Data Subject”).
A DPIA is designed to accomplish three goals:
- Ensure compliance with applicable legal, regulatory, and policy requirements for privacy;
- Determine the risks and effects; and
- Evaluate protections and alternative processes to mitigate potential privacy risks.
A DPIA should be conducted when Preemptive Love Coalition plans to:
- Embark on a new project involving the collection of personal data;
- Introduce new IT systems for storing and accessing personal data;
- Participate in a new data-sharing initiative with third parties;
- Initiate actions based on a policy of identifying particular demographics;
- Use existing data for a “new and unexpected or more intrusive purpose”; and
- Process data in a manner which is “likely to result in a high risk to the rights and freedoms of natural persons” (GDPR Article 35(1)).
DPIAs should be documented using the form attached as Appendix 1. Completed DPIA forms should be submitted to our Data Protection Officer (“DPO”), Dane Barnett at dataprotection@preemptivelove.org and to [_______________] at Preemptive Love Coalition].
Appendix 1: Data Protection Impact Assessment (DPIA) Form
Project name:
Date DPIA started:
Part 1 — Preparation for Risk Assessment
Project Outline
Outline the scope of the project, its aims, and its potential impact; explain what the project consists of; and describe why it is undertaken. Include links/attachments to any relevant documents that may be helpful (i.e., a project proposal)
Prior Projects
Conduct a search for prior projects, from both inside and outside Preemptive Love Coalition, to look for design features that have been created for other projects in order to address similar situations.
Affected and/or Involved Participants
List all Preemptive Love Coalition individuals involved in the project and Data Subjects who may be affected by it.
Preemptive Love Coalition individuals and affiliates:
Data Subjects:
Part 1 completed by:
Date:
Part 2 — Data Flow
Map the data flows (where do you obtain the data, how are they processed, where are they stored, etc.). Include links/attachments, as necessary.
Part 2 completed by:
Date:
Part 3 — Compliance with Privacy Laws
3.1 General Data Protection Regulation (GDPR)
See Appendix A for the Data Protection Compliance Checklist. Describe conclusions drawn and issues highlighted from completing the Checklist below:
3.2 General duty of confidence (if applicable)
3.3 Other privacy-related regulations (including applicable U.S. federal regulations)
Part 3 completed by:
Date:
Part 4 — Technology and Data Collection and Handling
4.1 Technology
Will there be new or additional information technology that has or may have substantial potential for privacy intrusion?
Yes: ☐
No: ☐
4.2 Data Collection
4.2.1 Will the project involve the collection of any new information about Data Subjects?
Yes: ☐
No: ☐
4.2.2 Will the project require Data Subjects to provide information about themselves in the course of the project?
Yes: ☐
No: ☐
4.2.3 Describe the mechanism(s) by which the collection and processing of personal data will occur (i.e. hardware, software, networks, staff, paper, paper transmission channels, etc.).
4.2.4 Will there be new or substantially changed identity authentication requirements that may be intrusive or onerous?
Yes: ☐
No: ☐
4.3 Third Parties
Will the project involve third parties outside of Preemptive Love Coalition that will have access to the personal data of Data Subjects?
Yes: ☐
No: ☐
4.4 Changes to Data Handling
4.4.1 Will there be new or significant changes to the handling or processing of personal data or data that would be considered sensitive or confidential by the Data Subjects (i.e. racial and ethnic origin, political opinions, health, legal offenses and court proceedings, finances and information that could enable identity theft)? This is meant to include personal data about Data Subjects in an existing database.
Yes: ☐
No: ☐
4.4.2 If yes to the above, will this involve a large number or portion of Data Subjects?
Yes: ☐
No: ☐
4.4.3 Will there be new or significantly changed consolidation, inter-linking, cross-referencing, or matching of personal data from multiple sources?
Yes: ☐
No: ☐
4.4.4 Will there be new or changed data collection policies or practices that may be intrusive for Data Subjects?
Yes: ☐
No: ☐
4.4.5 Will there be changes to data quality assurance or processes and standards?
Yes: ☐
No: ☐
4.4.6 Will there be new or changed data security arrangements or data security access/disclosure?
Yes: ☐
No: ☐
4.4.7 Will there be new or changed data retention arrangements? (If yes, please note that Preemptive Love Coalition’s Data Retention Policy may also need to be updated.)
Yes: ☐
No: ☐
4.4.9 Describe the period for which the personal data involved will be stored and the reasoning behind that retention period. Consult Preemptive Love Coalition’s Data Retention Policy, as applicable.
4.4.10 Will there be changes to the medium of disclosure for publicly available information in such a way that the data becomes more readily accessible to third/outside parties than before?
Yes: ☐
No: ☐
Part 4 completed by:
Date:
Part 5 — Consultations
5.1 Internal Preemptive Love Coalition’s Consultations
Consult internal Preemptive Love Coalition personnel identified under Question 1.3 to conduct a preliminary identification of risks. Describe the main risks with reasonable clarity.
| Description of Risks | Preliminary Assessment:
Risk Exposure Low/Medium/High |
|
| Risk 1 | Click here to enter text. | L ☐M ☐H ☐ |
| Risk 2 | Click here to enter text. | L ☐M ☐H ☐ |
| Risk 3 | Click here to enter text. | L ☐M ☐H ☐ |
| Risk 4 | Click here to enter text. | L ☐M ☐H ☐ |
5.2 External, Third-Party Consultations (as applicable)
Note: For large projects where there has been extensive outside involvement, a separate consultation report may be appropriate.
| Name of Third Party | Privacy Issue(s) Raised | Preliminary Assessment:
Risk Exposure Low/Medium/High |
| Click here to enter text. | Click here to enter text. | L ☐M ☐H ☐ |
| Click here to enter text. | Click here to enter text. | L ☐M ☐H ☐ |
| Click here to enter text. | Click here to enter text. | L ☐M ☐H ☐ |
| Click here to enter text. | Click here to enter text. | L ☐M ☐H ☐ |
5.3 Consultation with Affected Data Subjects
The controller must “seek the views of data subjects or their representatives,” where appropriate (Article 35(9)) (e.g. an internal or external study related to the purpose and means of the processing operation or a survey sent to customers or future customers). If the determination is made not to consult Data Subjects, please document the reasoning for why such consultation is not necessary.
| Data Subject(s) | Privacy Issue(s) Raised | Preliminary Assessment:
Risk Exposure Low/Medium/High |
| Click here to enter text. | Click here to enter text. | L ☐M ☐H ☐ |
| Click here to enter text. | Click here to enter text. | L ☐M ☐H ☐ |
| Click here to enter text. | Click here to enter text. | L ☐M ☐H ☐ |
| Click here to enter text. | Click here to enter text. | L ☐M ☐H ☐ |
Part 5 completed by:
Date:
Part 6 — Risk Analysis
The table in Appendix B is a guide to outline the key risks that have been identified and options for avoiding or mitigating those risks. Note: The table is provided as a guide only and should be adapted to conform to the project, as needed.
Part 7 — Approval
7.1 Recommendation
After completing Part 6, please explain which option(s) identify the best privacy solutions. If significant risk remains, explain what the problem is and why internal/external consultations did not resolve this. The recommendation could then be that the project needs to be reworked.
7.2 Approval(s)
| Identified Privacy Issue: | Approved Solution: | Approved By: |
| Click here to enter text. | Click here to enter text. | Click here to enter text. |
| Click here to enter text. | Click here to enter text. | Click here to enter text. |
Part 7 completed by:
Date:
Part 8 — Review
8.1 What checks were carried out before the project went live in order to insure that the privacy solutions approved as part of this DPIA are working and that the process is still compliant?
8.2 Indicate below how and when the post-implementation review will be carried out.
Part 8 completed by:
Date:
Appendix A: Data Protection Compliance Checklist
Note: Completion of this Checklist requires knowledge of data protection legislation. Assistance should be obtained from Preemptive Love Coalition’s Data Protection Officer, Dane Barnett, dataprotection@preemptivelove.org.
| Question | Answer | |
| 1. | What type of personal data will be processed? | Click here to enter text. |
| 2. | Will the legal basis for the data processing be (i) a legitimate business purpose, or (ii) consent from the Data Subject(s) involved? | Click here to enter text. |
| 3. | If special categories of personal data are going to be processed, which of the legal bases in GDPR Articles 6(1) and 9 will provide a legitimate basis for that processing?
(Special categories of personal data are personal data consisting of information as to (a) the racial or ethnic origin of the data subject, (b) political opinions, (c) religious beliefs, (d) Trade Union membership, (e) physical or mental health, (f) sexual life, (g) genetic data and (h) biometric information.) |
Click here to enter text. |
| 4. | Will any of the personal data be processed under a duty of confidentiality? If yes, how is that confidentiality being maintained? | Click here to enter text. |
| 5. | How are Data Subjects being made aware of how their personal data will be used? | Click here to enter text. |
| 6. | Does the project involve the use of existing personal data for new purposes? | Click here to enter text. |
| 7. | What procedures will be in place for checking that the data collection procedures are adequate, relevant, and not excessive in relation to the purpose for which the data will be processed? | Click here to enter text. |
| 8. | How will the personal data be checked for accuracy? | Click here to enter text. |
| 9. | Has the personal data been evaluated to determine whether its processing could cause damage or distress to Data Subjects? | Click here to enter text. |
| 10. | Will there be set retention periods in place in relation to the storage of the personal data? | Click here to enter text. |
| 11. | What technical and organizational security measures will be in place to prevent any unauthorized or unlawful processing of the personal data? | Click here to enter text. |
| 12. | Will personal data be transferred outside of the European Economic Area? If so, where, and what arrangements will be in place to ensure that there are adequate safeguards over the data? | Click here to enter text. |
Data Protection Compliance Checklist completed by:
Date:
Appendix B: Risk Assessment for DPIA
| Description of Identified Risk(s) | Inherent Privacy Risk | *Options for avoiding or mitigating this risk | Risk Owner | Residual Privacy Risk | ||||
| Impact | Likelihood | Exposure | Impact | Likelihood | Exposure | |||
*For each privacy risk, there could be several options for avoiding or mitigating that risk. List all the options, then consider the residual risk for each.
