While working through the DPIA, which of the following is NOT a requirement?

You are a consulting Data Protection Officer (DPO) for a holiday resort You have been asked to conduct a Data Protection Impact Assessment (DPIA) for them in advance of adopting a new HR management database.

While working through the DPIA, which of the following is NOT a requirement?
A . Describe the processing
B . Sign off and record outcomes.
C . Identify measures to mitigate the risks
D . Publish any potential risks in your information notice.

View Answer

Answer: D

Explanation:

A DPIA is a process to help identify and minimise the data protection risks of a project that is likely to result in a high risk to individuals. A DPIA must include the following elements, according to Article 35(7) of the UK GDPR1:

a description of the processing, including its purposes and legal basis;

an assessment of the necessity and proportionality of the processing in relation to its purposes; an assessment of the risks to the rights and freedoms of individuals; and the measures envisaged to address the risks and demonstrate compliance with the UK GDPR.

There is no requirement to publish any potential risks in the information notice, which is a document that provides individuals with information about how their personal data is processed, as required by Article 13 and 14 of the UK GDPR2. However, it may be good practice to do so, as well as to consult with individuals or their representatives, where appropriate, as part of the DPIA process. This can help to enhance transparency, trust and accountability, and to identify any additional risks or concerns from the perspective of the data subjects.

Reference: Article 35(7) of the UK GDPR1

Article 13 and 14 of the UK GDPR2