Reduce risk and demonstrate compliance.
The General Data Protection Regulation (GDPR Policy Template) requires organisations to carry out a risk assessment (DPIA) in certain circumstances. Usually, a DPIA should be carried out before your organisation begins processing data in a new way. A DPIA is a process which aims to identify risks arising out of the processing of personal data and to minimise those risks where possible. DPIAs are a vital tool for demonstrating compliance with data protection law and also for reducing risk of non-compliance and possible sanctions.
Our data protection experts can take you through this process and provide you with the knowledge required to ensure compliance with data protection law. We can help you to identify risks and make informed decisions relating to risk acceptability and mitigation.
Using our bespoke DPIA assessment template, we will guide you through this process and provide you with recommendations and solutions.
Depending on your needs, we can deliver these services to your organisation on-site or remotely, or a combination of both. Your DPO support can be either fully outsourced to Pembroke Privacy or we can assist your in-house team as required. We will provide you with a monthly report detailing ongoing progress.
03/26/2021
3 minutes to read
The General Data Protection Regulation (GDPR) introduces new rules for organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data for EU residents no matter where you or your enterprise are located. Additional details can be found in the GDPR Summary topic. This document guides you to information regarding Data Protection Impact Assessments (DPIAs) under the GDPR when using Microsoft products and services.
Helpful definitions for GDPR terms used in this document:
Data Controller (Controller): A legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Personal data and data subject: Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly.
Processor: A natural or legal person, public authority, agency, or other body, which processes personal data on behalf of the controller.
Customer Data: Data produced and stored in the day-to-day operations of running your information security policy for small business .
The GDPR requires controllers to prepare a Data Protection Impact Assessment (DPIA) for operations that are 'likely to result in a high risk to the rights and freedoms of natural persons.' There is nothing inherent in Microsoft products and services that need the creation of a DPIA. However, because Microsoft products and services are highly customizable, a DPIA may be needed depending on the details of your Microsoft configuration. Microsoft has no control over, and little or no insight into such information. You, as a data controller must determine appropriate uses of their data.
The DPIA guidance applies to Office 365, Azure, Dynamics 365, and Microsoft Support and Professional Services. That guidance includes consideration of:
When is a DPIA needed?
The risk factors listed below should be addressed when considering whether to complete a DPIA. Other potential factors and further details are found in Part 1 of each of the guidelines.
A systematic and extensive evaluation of data based on automated processing.
Processing on a large scale of special categories of data (data revealing information uniquely identifying a natural person), or of personal data relating to criminal convictions and offenses.
Systematic monitoring of a publicly accessible area on a large scale.
The GDPR clarifies 'The processing of personal data protection policy template should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional, or lawyer. In such cases, a data protection impact assessment should not be mandatory.'
What is required to complete a DPIA?
A DPIA should provide specific information about the intended processing, which is detailed in Part 2 of the guidance. That information includes:
Assessment of the necessity, and proportionality of data processing in relation to the purpose of the DPIA.
Assessment of the risks to the rights and freedoms of natural persons.
Intended measures to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and demonstrate compliance with the GDPR.
Purposes of processing
Categories of personal data processed
Data retention
Location and transfers of personal data
Data sharing with third-party subprocessors
Data sharing with independent third-parties
Specific details that may be relevant to your Microsoft implementation are below.
Office 365: This document applies to Office 365 applications and services, including but not limited to Exchange Online, SharePoint Online, Yammer, Skype for Business, and Power BI. Refer to Tables 1 and 2 for more details.
Azure: Customers are encouraged to work with their privacy officers and legal counsel to determine the necessity and content of any DPIAs related to their use of Microsoft Azure.
Dynamics 365: The contents of a DPIA may vary according to which Dynamics 365 tools you are employing. For specific details refer to Part 2 Contents of a DPIA.
Microsoft Support and Professional Services: Professional Services does not conduct certain routine or automated data processing, nor is it intended to process special categories or perform tasks that facilitate or require monitoring of publicly accessible data. For details see Part 1 — Determining Whether a DPIA is needed. Controllers must consider the DPIA elements outlined above, along with any other relevant factors, in the context of the controller's specific implementations and uses of Professional Services. For Professional Services information, see Part 2 — Contents of a DPIA.