Expert Advice Community

Guest

GDPR queries

  Quote
Guest
Guest user Created:   Aug 05, 2020 Last commented:   Aug 06, 2020

GDPR queries

1) What is the prime difference between ROPA & PIA?

2) While assessing a vendor, once I am done with Information Risk Assessment Questionnaire, how would I be able to identify if i have to proceed with ROPA or PIA?

3) I have created ROPA and PIa questionnaires and added below sections; do these makes sense or am I missing out on something?
ROPA
Contact Information
Basic information on processing and responsibility
Data Collection
Purpose and legal basis of data processing
Data transfers and recipients
Standard period for data erasure
Means of processing
Groups with access authorization (simplified authorization concept)
Technical and organizational measures (Art. 32 GDPR)
Data portability

PIA
Business / Project Information
General Information
Attributes of the Data (use and accuracy)
Sharing Practices
Notice to Individuals to Decline/Consent Use
Data sharing
Access to Data (administrative and technological controls)
Privacy Analysis
Retention and Deletion

0 0

Assign topic to the user

Assign

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Alessandra Nisticò Aug 06, 2020

What is the prime difference between ROPA & PIA?

I assume that for ROPA you mean Record Of Processing Activities under Article 30 GDPR and PIA as Privacy Impact Assessment which is another way to name Data Protection Impact Assessment DPIA under Article 35 GDPR.

If so, ROPA can be seen as a consequence of PIA. PIA is crucial to apply the principle of Privacy by design in your organization. You need to evaluate the process according to the GDPR principle, assess risks, and then establish how your data processing will be carried out. ROPA, therefore, is the result of processes selected as compliant to privacy by design and other data processing principles that have been considered and assessed in PIA.

While assessing a vendor, once I am done with the Information Risk Assessment Questionnaire, how would I be able to identify if I have to proceed with ROPA or PIA?

PIA and ROPA are two different activities. Therefore, you need to assess risk with PIA, select the most compliant process, and then record them in ROPA.

I have created ROPA and PIa questionnaires and added below sections; do these make sense or am I missing out on something?

ROPAContact InformationBasic information on processing and responsibilityData CollectionPurpose and legal basis of data processingData transfers and recipientsStandard period for data erasureMeans of processingGroups with access authorization (simplified authorization concept)Technical and organizational measures (Art. 32 GDPR)Data portability

PIABusiness / Project InformationGeneral InformationAttributes of the Data (use and accuracy)Sharing PracticesNotice to Individuals to Decline/Consent UseData sharingAccess to Data (administrative and technological controls)Privacy AnalysisRetention and Deletion

Article 30 GDPR list the requirement of ROPA for the controller in paragraph 1 and for processors in paragraph 2. You are missing the categories of data subjects, the suitable safeguards adopted in case of transfer of data in third countries.

Article 35 par. 7 GDPR requires for PIA at least:

  • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
  • the measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
  • In your questionnaire, it seems that the assessment part and evaluation of risk are missing unless the title of section includes it. Remember to identify the data subjects and evaluate the risk of freedom and their rights.

    Here you can find more information:

    We developed some EU GDPR document template that might be helpful:

    You can also consider enrolling in our free EU GDPR Foundations Course

    Quote
    0 0

    Comment as guest or Sign in

    HTML tags are not allowed

    Aug 05, 2020

    Aug 06, 2020

    Suggested Topics

    Guest user Created:   Jun 05, 2018 EU GDPR
    Replies: 1
    0 0

    Few GDPR queries

    Guest user Created:   May 17, 2018 EU GDPR
    Replies: 1
    0 0

    GDPR compliance queries

    Guest user Created:   May 16, 2018 EU GDPR
    Replies: 1
    0 0

    EU GDPR Documentation Toolkit