GDPR queries

What is the prime difference between ROPA & PIA?

I assume that for ROPA you mean Record Of Processing Activities under Article 30 GDPR and PIA as Privacy Impact Assessment which is another way to name Data Protection Impact Assessment DPIA under Article 35 GDPR.

If so, ROPA can be seen as a consequence of PIA. PIA is crucial to apply the principle of Privacy by design in your organization. You need to evaluate the process according to the GDPR principle, assess risks, and then establish how your data processing will be carried out. ROPA, therefore, is the result of processes selected as compliant to privacy by design and other data processing principles that have been considered and assessed in PIA.

While assessing a vendor, once I am done with the Information Risk Assessment Questionnaire, how would I be able to identify if I have to proceed with ROPA or PIA?

PIA and ROPA are two different activities. Therefore, you need to assess risk with PIA, select the most compliant process, and then record them in ROPA.

I have created ROPA and PIa questionnaires and added below sections; do these make sense or am I missing out on something?

ROPAContact InformationBasic information on processing and responsibilityData CollectionPurpose and legal basis of data processingData transfers and recipientsStandard period for data erasureMeans of processingGroups with access authorization (simplified authorization concept)Technical and organizational measures (Art. 32 GDPR)Data portability

PIABusiness / Project InformationGeneral InformationAttributes of the Data (use and accuracy)Sharing PracticesNotice to Individuals to Decline/Consent UseData sharingAccess to Data (administrative and technological controls)Privacy AnalysisRetention and Deletion

Article 30 GDPR list the requirement of ROPA for the controller in paragraph 1 and for processors in paragraph 2. You are missing the categories of data subjects, the suitable safeguards adopted in case of transfer of data in third countries.

Article 35 par. 7 GDPR requires for PIA at least:

In your questionnaire, it seems that the assessment part and evaluation of risk are missing unless the title of section includes it. Remember to identify the data subjects and evaluate the risk of freedom and their rights.

Here you can find more information:

• ART 30 GDPR: https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/
• ART 35 GDPR: https://advisera.com/eugdpracademy/gdpr/data-protection-impact-assessment/
• 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/

We developed some EU GDPR document template that might be helpful:

• Data Protection Impact Assessment Methodology: https://advisera.com/eugdpracademy/documentation/data-protection-impact-assessment-methodology/
• DPIA Register: https://advisera.com/eugdpracademy/documentation/dpia-register/
• Inventory of Processing Activities: https://advisera.com/eugdpracademy/documentation/inventory-of-processing-activities/

You can also consider enrolling in our free EU GDPR Foundations Course

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//