I have a question around DPIA’s and our Clients data
As a security Monitoring company providing SOC-as-a-service, we are a ‘processor’ to our clients, and we monitor their networks/systems under contractual obligation.
Would we be required to carry out DPIA’s on our Client Data as a processor as well as our own data as a controller?
From what I understand we would carry out a DPIA on their data if they request that we do so. Is this correct?
If this is not clear or you need more information, feel free to let me know.
Yes, you are right, DPIA is an obligation of the data controller, as a data processor you may suggest to your client to conduct a DPIA and help them in the process, but you don't need it if the controller does not require it. About data you process as a controller, you need to determine if the monitoring falls under the scope of Article 35 GDPR, if a DPIA is required, I would suggest you use the tool that the CNIL (the French Data Protection Authority implemented, it is in English and it guides controllers through the assessment process).
Here you can find more information about the DPIA process: