chapter 6 Flashcards
what does this
Develop and implement policies and practices to adhere to the PDPA
Data Protection Management Programme
what is the
Inputs to deciding on policies and practices to be implemented
Data Protection Impact Assessment
DPIAs can be conducted on _____ and _______
systems and processes
what are the key tasks in DPIA
- Identifying the personal data handled by the system or
process - Identifying how the personal data flows
- Identifying data protection risks
- Addressing the identified risks
- Checking to ensure that identified risks are adequately
addressed
when to conduct a DPIA
- Creating a new system
- Creating a new process
- Changing existing systems or processes
- Changes to the organisational structure
- Collecting new types of personal data
To address data protection risks effectively, a DPIA should involve ________________
relevant stakeholders and where needed, relevant external parties
who is the DPIA lead
project manager
in charge of the DPIA project
what is the responsibilities of project manager (DPIA Lead)
Overall in-charge of the DPIA and could be supported by a DPIA team.
Seeks input from relevant parties on:
* Data protection risks and challenges
* Possible solutions to address the risks
* Documents DPIA report
* Monitors DPIA outcomes and reviews the DPIA
role of the Data protection officer
Enforcing the Data Protection policies
what is the responsbilities of DPO
Advises DPIA lead throughout the DPIA process, including
providing support based on best practices
* Defining the risk assessment framework
* Ensuring that DPIAs are conducted according to the organisation’s
policies
* Assists in reviewing the DPIA report
role of Project Steering Committee
Management of organisation
responsibilities of project steering committee
Commissions the DPIA
Approves the DPIA report
what is the role of others
Other organisational functions or external parties
what is the responsibilities of others
Provides input on potential risks and challenges, for example
* IT and Legal
* Customer Service, Communications or Operations
* Human Resource or Staff Capability
what are the steps in the Data Protection Impact Assessment Life Cycle
phase 1 assess the need for DPIA
phase 2 plan DPIA
phase 3 Identify Data and personal data flows
phase 4 identify and assess data protection risks
phase 5 create action plan
phase 6 implement and monitor action plan
what is phase 2
plan for DPIA
what is involved in plan for DPIA (phase 2)
Project Description
*Overview of the project and reason for DPIA
*Key considerations
Scope of DPIA
*Detail of the specific system or process in scope
Define Risk Assessment Framework
*Risk assessment criteria
*Risk calculation method
Parties Involved
*Identify relevant internal or external stakeholders
*Approach in gathering stakeholder inputs
DPIA Timeline
*Overall DPIA timeline
*Key task timeline
Personal data protection risks can be evaluated based on its ___________- and ____________
likelihood (likelihood criterion) and impact (impact / consequence criterion)
what are risk matrix scoring
high risk rating (15 - 25)
risk threshold (8 - 12)
low risk rating (1 - 3)
Quantitative Risk Ratings formula
Risk = Likelihood x Impact
what happens in Phase 3: Identify Personal Data and Data Flow
DPIA lead would need to collate and review documentation related to the project (e.g., project plan, system functional specs) in order to determine how personal data is being collected, used or disclosed. DPIA lead should also consult stakeholders and conduct on-site inspections.
Identify various types of personal data handled and
determine the purposes
Map the way that personal data flows through various
stages
Example of Identify Personal Data (phase 4)
DPIA lead / Website administrator
* Consults the relevant project stakeholders
(e.g., Planning team, IT, Finance, Marcom)
* Reviews any project relevant documentation
DPIA lead sets out to identify personal
data touchpoints in the system
* Who has access to the various types of
personal data?
* Where and how is the personal data being
stored?
* How is the personal data being used?
* How long is the retention period and what are
the disposal methods
what happens in Phase 4: Identify and Assess Risk
Having defined a risk framework and documented how personal data is being handled, the DPIA lead can now proceed to identify and assess personal data protection risks.
Complete a DPIA Questionnaire to assess the
project against PDPA requirements
Identify areas in the personal data flow which could
lead to a breach of the PDPA
Analyse the potential impact and likelihood of
identified gaps and risks
Example of Phase 4: Identify and Assess Risk
In completing the DPIA Questionnaire, the DPIA lead’s considerations could include
- What are the applicable PDPA requirements to
be complied with? - Is there an excessive collection of personal
data? - Are there sufficient measures in place to
safeguard the personal data handled? - Are staff aware of their roles and
responsibilities? - Are third party organisations aware of their
personal data protection obligations?
what happens in phase 5
Based on the various personal data protection risks identified, the DPIA lead can now create an Action Plan, which outlines the specific tasks to be taken in order to address those risks.
List the critical tasks to be taken in order to address
the various data protection risks identified
Assign the action owners responsible to address the
identified risks
Formulate a timeline for when specific tasks need to
be completed and determine it’s priority
Example of Phase 5: Create Action Plan
In developing the action plan, the DPIA lead’s considerations include
- What are the risk treatment options, taking into
consideration the risk assessment? - What constraints does the organisation face?
- What other legal requirements does the
organisation need to consider? - What are the pros and cons for each
recommendation or proposed solution? - How can the proposed solutions be integrated
within the organisation’s business?
what happens in phase 6
DPIA Report
* Document the whole DPIA process
* Reviewed by DPO
* Approved by Project Steering Committee
Action Plan Implementation
* Implement the plan by respective Action Owners
* Monitor outcome by Project Manager
Maintain DPIA
* Subsequent developments to the project
* Technology or security developments
* External environmental changes
