Prerequisites to Processing Activity Assessment
To be able to perform an assessment (whether a pre-assessment or a DPIA), you should make sure that:
• processing activity owners have properly described the processing activities
For more information, see Describing Processing Activities.• you have specified compliance levels on the basis of the information given by processing activity owners.
Specifying Compliance Levels
The Privacy team/DPO has to specify a compliance level for each section of a processing activity.
It is necessary to give those scores after the processing activity owner has described the processing activity. This will give you an indication of where to start when it comes to further assessing your processing activities (through preliminary assessment and DPIAs).Legal Basis Compliance Level
To specify a compliance level in relation to legal basis:
1. Open the processing activity property page.
2. Select the Legal Basis page.
3. Select a value in the drop-down menu available
There has to be at least one legal basis selected. If there is no legal basis for the processing activity, the processing activity is considered poorly compliant.
For more information see Processing Activities Legal Basis.Minimization Compliance Level
To specify a compliance level in relation to data minimization:
1. Open the processing activity properties.
2. Select the Details page.
3. Expand the Personal Data Risk Analysis of "your Processing Activity" section.
4. Select a value in the drop-down menu available.
For more information about data minimization, see Processed Personal Data.Data transfers and security measures
To specify a compliance level in relation to data transfers and security measures:
1. Open the processing activity properties.
2. Select the Details page.
3. Expand the Security Measures section.
4. Select a value in the drop-down menu available.
For more information see Data Transfers.Viewing the Initial Compliance Level of a Processing Activity
It is useful for the DPO or the Privacy team to get an overview of the processing activity compliance levels. It will facilitate prioritization of subsequent actions (decide if you need to perform a pre-assessement or a DPIA).
To identify the compliance level of a processing activity:
In the processing activity properties, select the Pre-assessment page.Here you can find a summary of the scores previously assigned in the different sections found in the Legal Basis and Details pages:
• Legal Basis (score from the Legal Basis page)
• Data Minimization (score from the Details page)
• Data Subject's Rights & Notice Management (score from the Details page)
• Data Transfers (score from the Details page)
See Data Transfers• Security Measures (score from the Details page)