Data Protection Impact Assessment
Fund for Training and Income Support for Temporary Workers
The ICT& PRIVACY Area and the DPO requested MACFIN’s support to conduct a Data Protection Impact Assessment (“DPIA“).
In the context of personal data processing managed by the Fund in its capacity as Data Controller, the DPIA was aimed at assessing the necessity and proportionality, as well as the related risks for the data subjects, in order to prepare suitable measures to address them.
Goals
Identify and analyze
processing that may present potentially high risks to data subjects (e.g., sensitive data, evaluative, large-scale processing, etc.)
Review risks
to stakeholders in terms of likelihood of occurrence, impact, and level of effectiveness of measures in place
Evaluate the legitimacy
as well as the necessity and proportionality of processing in relation to the purposes
Evaluate prior consultation
with the Guarantor Authority if risks to data subjects are not adequately guarded and identification of possible improvements to measures that guard against risks
Activity
Analysis of treatments and methodology tuning
to define the assessment perimeter Sharing with the DPO and the ICT and Privacy Area Referent, of the evaluation methodology adopted, in order to integrate it where appropriate, in consideration of the characteristics of the Organization
Impact assessment
to identify processing operations at risk for the rights of data subjects and conduct of impact assessment on perimeter processing, based on methodology. Conduct of risk self-assessment process, by surveying Area/Office managers for processing operations under their respective areas of responsibility. Sharing of the results of the surveys already conducted with managers and self-assessment of risks with the ICT and Privacy Area Manager. Collection, during the surveys, of the main evidence in support of the evaluation of security measures
Definition of mitigation plan
to assess the legitimacy, as well as the necessity and proportionality of the treatments in relation to the purposes. Definition of possible corrective actions related to security measures and, in general, to the personal data risk management framework, in consideration of the characteristics of the treatments, of the risks not adequately mitigated, of the observations of the risk owners, of the main evidences regarding the effective adoption and effectiveness of the security measures
Results
Final reporting
of impact assessment outcomes
aware risk management
inherent in the management of personal data, in view of the characteristics of the processing and the adoption and effectiveness of security measures in place
Assurance to the ICT & Privacy Area
on the lawfulness of the treatment and their necessity and proportionality, with particular reference to the conditions and measures aimed at ensuring the proper exercise of the rights of the interested parties
REQUEST INFORMATION
ABOUT OUR SERVICES
Would you like to have more information about our services and solutions? Enter your data and we will contact you as soon as possible.
Other Success Cases
Setting the "231" Framework of an International Gaming Player
Industry & Services | ESG, Risk & Compliance
Design of a Risk Reporting solution of an Insurance Group
Insurance | Risk & Compliance
Setting the "GDPR" Framework of a State-owned company
Non-Profit & Public | Risk & Compliance
