Hi,
I’d recommend you do a DPIA, yes. You have your own risks relating to access, storage, deletion, bad actors, etc etc.
A documented DPIA would demonstrate that you have considered the risks to the data subjects and how to mitigate them.
In the event of a breach, you would then be able to refer to the DPIA to see if any of the controls you’d put in place had failed, and how to prevent that happening again, and also, if it was a breach that hadn’t been considered in the DPIA, it offers an opportunity to update it and improve things.
Lots of reasons for DP’s to do their own DPIA’s 🙂
Hi, As per Suze and Dave I would absolutely recommend a DPIA is carried out. The process of writing a DPIA provides structure to the questions you should already be asking yourself about the position your organisation sits in the supply chain and the risks posed to your business and the others in that particular processing activity. The more DPIAs you right the easier they become and they only enhance your knowledge of your organisation.
You are not required to do that as a Processor, but I would do that to ensure that you understand better what would be the risks. In case that risk materializes you can then see what has gone wrong and update DPIA. DPIA is a living document and should be amended as processing activity changes. Doing a DPIA will give your clients also ease of mind as they will see they you are being diligent and thorough.
The WP guidance says that if, as a processor, you are SaaS, then yes you should. Otherwise, in theory, no, you just help controllers with theirs. In reality, I suggest that my processor clients do them.
My instinct, before reading Suze and David’s answers, is also to say yes. Not least because it may enable you to identify issues that you hadn’t necessarily considered before taking on the processing of the data. It would also enable you to either a) give your client assurance that you are thorough in your processes, or b) that you have identified a potential risk to their organisation that they can rectify in good time.
Taking this a step further, as part of the Vendor Due Diligence and the contractual engagement process between the Controller that is engaging you to process under their instruction, you will very likely have to show the evidence to them that you understand the obligations of the scope of your processing activity; the DPIA will show this evidentially.
Indeed the Data Processing Addendum should contain the detail, provisions and measures the that appear in the DPIA in it that govern the specific processing activity with you as the processing party.
Suze
Hi,
I’d recommend you do a DPIA, yes. You have your own risks relating to access, storage, deletion, bad actors, etc etc.
A documented DPIA would demonstrate that you have considered the risks to the data subjects and how to mitigate them.
In the event of a breach, you would then be able to refer to the DPIA to see if any of the controls you’d put in place had failed, and how to prevent that happening again, and also, if it was a breach that hadn’t been considered in the DPIA, it offers an opportunity to update it and improve things.
Lots of reasons for DP’s to do their own DPIA’s 🙂
Chris Roberts
Hi, As per Suze and Dave I would absolutely recommend a DPIA is carried out. The process of writing a DPIA provides structure to the questions you should already be asking yourself about the position your organisation sits in the supply chain and the risks posed to your business and the others in that particular processing activity. The more DPIAs you right the easier they become and they only enhance your knowledge of your organisation.
Hope that helps?
Serif Zjakic
You are not required to do that as a Processor, but I would do that to ensure that you understand better what would be the risks. In case that risk materializes you can then see what has gone wrong and update DPIA. DPIA is a living document and should be amended as processing activity changes. Doing a DPIA will give your clients also ease of mind as they will see they you are being diligent and thorough.
Tash
The WP guidance says that if, as a processor, you are SaaS, then yes you should. Otherwise, in theory, no, you just help controllers with theirs. In reality, I suggest that my processor clients do them.
HellenB
My instinct, before reading Suze and David’s answers, is also to say yes. Not least because it may enable you to identify issues that you hadn’t necessarily considered before taking on the processing of the data. It would also enable you to either a) give your client assurance that you are thorough in your processes, or b) that you have identified a potential risk to their organisation that they can rectify in good time.
Dave_Wylie
As per Suze, comments. Yes you should.
Taking this a step further, as part of the Vendor Due Diligence and the contractual engagement process between the Controller that is engaging you to process under their instruction, you will very likely have to show the evidence to them that you understand the obligations of the scope of your processing activity; the DPIA will show this evidentially.
Indeed the Data Processing Addendum should contain the detail, provisions and measures the that appear in the DPIA in it that govern the specific processing activity with you as the processing party.
Hope that helps.