Qualify processing activities for risk assessment (Pre-DPIA Analysis)

The GDPR regulation requires a risk assessment for all processing activities to decide if a Data Protection Impact Analysis (DPIA) is necessary. To perform a risk assessment, a detailed qualification of the processing activity is necessary. The requirements for this qualification can vary from country to country.

ARIS Accelerators for GDPR uses the Survey Management of ARIS Risk and Compliance to qualify each processing activity. ARIS Risk and Compliance ensures the segregation of duties principle and offers an audit trail of any changes. ARIS Accelerators for GDPR contains a questionnaire (GDPR Processing Activity Qualification) for qualifying the processing activities. The template is based on the recommendations of the ARTICLE 29 DATA PROTECTION WORKING PARTY (Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is likely to result in a high risk for the purposes of Regulation 2016/679). For each processing activity, the actual score is calculated by adding up the answer values of the selected answers. If the actual score exceeds the target score (default set to 10, which equals two risk aspects), the processing activity affected can involve a high risk to the data subjects under GDPR. This template is meant to be an initial questionnaire template that can be customized.

The creation of the qualification with the Survey Management of ARIS Risk and Compliance is performed in two steps for each processing activity: