0 Asked: January 28, 20212021-01-28T17:23:08+01:00 2021-01-28T17:23:08+01:00In: GDPR DPIAs 0 Hi, we are a data processor who processes sensitive data on behalf of clients. Do we have to do our own DPIA? Share Facebook 6 Answers Voted Oldest Recent Suze 0 Questions 3 Answers 0 Best Answers 3 Points View Profile Suze 2021-01-28T18:29:53+01:00Added an answer on January 28, 2021 at 6:29 pm This answer was edited. Hi, I’d recommend you do a DPIA, yes. You have your own risks relating to access, storage, deletion, bad actors, etc etc. A documented DPIA would demonstrate that you have considered the risks to the data subjects and how to mitigate them. In the event of a breach, you would then be able to refer to the DPIA to see if any of the controls you’d put in place had failed, and how to prevent that happening again, and also, if it was a breach that hadn’t been considered in the DPIA, it offers an opportunity to update it and improve things. Lots of reasons for DP’s to do their own DPIA’s 🙂 2 Reply Share Share Share on Facebook Share on Twitter Share on LinkedIn Chris Roberts 0 Questions 42 Answers 0 Best Answers 42 Points View Profile Chris Roberts Silver contributor 2021-01-29T17:23:23+01:00Added an answer on January 29, 2021 at 5:23 pm Hi, As per Suze and Dave I would absolutely recommend a DPIA is carried out. The process of writing a DPIA provides structure to the questions you should already be asking yourself about the position your organisation sits in the supply chain and the risks posed to your business and the others in that particular processing activity. The more DPIAs you right the easier they become and they only enhance your knowledge of your organisation. Hope that helps? 0 Reply Share Share Share on Facebook Share on Twitter Share on LinkedIn Serif Zjakic 0 Questions 5 Answers 0 Best Answers 5 Points View Profile Serif Zjakic Rising star contributor 2021-01-29T08:46:56+01:00Added an answer on January 29, 2021 at 8:46 am You are not required to do that as a Processor, but I would do that to ensure that you understand better what would be the risks. In case that risk materializes you can then see what has gone wrong and update DPIA. DPIA is a living document and should be amended as processing activity changes. Doing a DPIA will give your clients also ease of mind as they will see they you are being diligent and thorough. 0 Reply Share Share Share on Facebook Share on Twitter Share on LinkedIn Tash 0 Questions 23 Answers 0 Best Answers 23 Points View Profile Tash Bronze contributor 2021-01-28T23:29:00+01:00Added an answer on January 28, 2021 at 11:29 pm The WP guidance says that if, as a processor, you are SaaS, then yes you should. Otherwise, in theory, no, you just help controllers with theirs. In reality, I suggest that my processor clients do them. 0 Reply Share Share Share on Facebook Share on Twitter Share on LinkedIn HellenB 2 Questions 83 Answers 0 Best Answers 79 Points View Profile HellenB Silver contributor 2021-01-28T23:15:58+01:00Added an answer on January 28, 2021 at 11:15 pm My instinct, before reading Suze and David’s answers, is also to say yes. Not least because it may enable you to identify issues that you hadn’t necessarily considered before taking on the processing of the data. It would also enable you to either a) give your client assurance that you are thorough in your processes, or b) that you have identified a potential risk to their organisation that they can rectify in good time. 0 Reply Share Share Share on Facebook Share on Twitter Share on LinkedIn Dave_Wylie United Kingdom (UK) 9 Questions 24 Answers 0 Best Answers 22 Points View Profile Dave_Wylie Bronze contributor 2021-01-28T18:51:11+01:00Added an answer on January 28, 2021 at 6:51 pm As per Suze, comments. Yes you should. Taking this a step further, as part of the Vendor Due Diligence and the contractual engagement process between the Controller that is engaging you to process under their instruction, you will very likely have to show the evidence to them that you understand the obligations of the scope of your processing activity; the DPIA will show this evidentially. Indeed the Data Processing Addendum should contain the detail, provisions and measures the that appear in the DPIA in it that govern the specific processing activity with you as the processing party. Hope that helps. 0 Reply Share Share Share on Facebook Share on Twitter Share on LinkedIn Leave an answerCancel replyYou must login to add an answer. Username or email* Password* Captcha* What is 5 + 2? Remember Me! Forgot Password?