Services

dpia

Data protection impact assessment of DPIA for short is a required process for all organisations processing. A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.

You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. You can use our screening checklists to help you decide when to do a DPIA. It is also good practice to do a DPIA for any other major project which requires the processing of personal data.

Your DPIA must:

- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.

Kiremor can help ensure your impact assessments cover all areas required by the GDPR; thus providing managers with an accurate risk assessment of any new processing of special category or sensitive personal information.

rights management

GDPR has extended the range of rights a data subject (individual) has over the control of their data. The inclusion of the new right of erasure (popularly know as the right to be forgotten) gives data subjects the right to demand their data is erased (in certain circumstances). The long existed subject access right has shortened turn-around time, reduce from 40 to 30 days. All data subject rights are enforceable and subject to monetary penalty for non-compliance.

Kiremor can help you develop effective process procedure to make rights management a more efficient and less time consuming requirement of data protection.

data management

One of the most neglected areas of organisational management is data and information management. Here at Kiremor we provide on-demand services ranging from Information Architecture design to through to developing Data processing and Data Sharing Agreements. Contact us for more information

F.A.Q.

Some common terms and questions

GDPR

The General Data Protection Regulation – European wide legislation. The Data Protection Act 2018 is the UK interpretation of of GDPR

Data subject

The living individual who is the focus of personal information

Data Controller

The individual or organisation whose is processing (using) the data subjects personal information

Data processor

Processors act on behalf of the relevant controller and under their authority. In doing so, they serve the controller’s interests rather than their own. Although a processor may make its own day-to-day operational decisions, Article 29 says it should only process personal data in line with a controller’s instructions, unless it is required to do otherwise by law.

DPIA

You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. You can use our screening checklists to help you decide when to do a DPIA.
It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
Your DPIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.

What are the penalties for non-compliance?

Under Part 6 of the Act, there are two tiers of penalty for an infringement of Part 3 – the higher maximum and the standard maximum.

What is the higher maximum?

The higher maximum amount, is 20 million Euros (or equivalent in sterling) or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

In practice, the higher maximum amount can apply to any failure to comply with any of the data protection principles, any rights an individual may have under Part 3 or in relation to any transfers of data to third countries.

What is the standard maximum?

If there is an infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is 10 million Euros (or equivalent in sterling) or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.