DSP-09: Data Protection Impact Assessment

Info icon.

Control is new to this version of the control set.

Control Statement

Conduct a Data Protection Impact Assessment (DPIA) to evaluate the origin, nature, particularity and severity of the risks upon the processing of personal data, according to any applicable laws, regulations and industry best practices.

Implementation Guidance

Data protection impact assessment, which is essentially risk assessment from a privacy perspective, should be performed by the data controller before processing if such personal data processing is likely to result in a high risk to the rights and freedoms of natural persons.

Auditing Guidance

  1. Examine procedures related to DPIA risk assessment and determine if once a requirement has been established, the organization identifies and grades the associated risks and reports and prioritizes the remediation of risks and non-compliance activities. Examine whether the DPIA process and templates align to the organization's risk methodology and taxonomy.
  2. Establish whether the organization has documented the roles and responsibilities for this process.
  3. Select a sample of DPIAs and examine evidence to confirm that each assessment was performed to identify associated risks. Further, confirm that any action plans were identified and carried out appropriately. Confirm that all relevant evidence was formally documented.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.