Content library
Processing principles and accountability
Managing and sharing data protection impact assessments
Privacy
Processing principles and accountability

Managing and sharing data protection impact assessments

Start free trial

Task description

Managing and sharing data protection impact assessments

The organization must perform and document a Data Protection Impact Assessment (DPIA) before starting any processing that may affect individuals’ privacy or data protection rights. The assessment must evaluate the nature, scope, purpose, and risks of the processing to ensure personal data is handled lawfully and responsibly.

The assessment must define:

  • The purpose and legal basis of processing.
  • The types, sources, and scope of personal data, including any intended disclosures.
  • The context of processing, defining roles and relationships between the controller, processors, and data subjects.
  • An evaluation of necessity and proportionality to ensure only essential data is processed.
  • The potential impacts on individuals and the likelihood of harm.
  • Mitigation measures and their effectiveness.

Completed assessments must be reviewed, approved, and retained as evidence of compliance. When processing is carried out by a processor, a copy of the relevant DPIA must be provided to them to ensure awareness of risks and required safeguards.

Requirements connected to the task

Article 16.3-4: Assessment of proposed processing
Personal Data Protection Law (Saudi Arabia)
Article 25.1: Impact assessment
Personal Data Protection Law (Saudi Arabia)
Article 25.2-3: Contents and communication of data protection impact assessments
Personal Data Protection Law (Saudi Arabia)
Article 8.2: Elements of the data transfer risk assessment
Personal Data Protection Law (Saudi Arabia)

Other tasks from the same security theme

Task name
Priority
Policy
Other requirements
Data store listing and owner assignment
Critical
High
Normal
Low
Processing principles and accountability
78
requirements

Examples of other requirements this task affects

5. Principles relating to processing of personal data
GDPR
6. Lawfulness of processing
GDPR
8.1.1: Inventory of assets
ISO 27001
5 §: Tiedonhallintamalli ja muutosvaikutuksen arviointi
TiHL
6.7: Asiakas- ja potilastietojärjestelmät, niihin liitetyt tietojärjestelmät ja muut tietojärjestelmät
Omavalvontasuunnitelma
See all related requirements and other information from tasks own page.
Go to >
Data store listing and owner assignment
Personnel guidelines for safe processing of personal and confidential data
Critical
High
Normal
Low
Processing principles and accountability
33
requirements

Examples of other requirements this task affects

29. Processing under the authority of the controller or processor
GDPR
7.2.2: Information security awareness, education and training
ISO 27001
11.2.8: Unattended user equipment
ISO 27001
11.2.9: Clear desk and clear screen policy
ISO 27001
12.1.1: Documented operating procedures
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Personnel guidelines for safe processing of personal and confidential data
Records of processing activities -report publishing and maintenance
Critical
High
Normal
Low
Processing principles and accountability
9
requirements

Examples of other requirements this task affects

30. Records of processing activities
GDPR
A.7.2.8: Records related to processing PII
ISO 27701
TSU-01: Käsiteltävien henkilötietojen tunnistaminen
Julkri
TSU-21: Seloste käsittelytoimista
Julkri
61: Seloste käsittelytoiminnasta
Digiturvan kokonaiskuvapalvelu
See all related requirements and other information from tasks own page.
Go to >
Records of processing activities -report publishing and maintenance
Documentation of personal data processing purposes for data stores
Critical
High
Normal
Low
Processing principles and accountability
24
requirements

Examples of other requirements this task affects

6. Lawfulness of processing
GDPR
30. Records of processing activities
GDPR
18.1.4: Privacy and protection of personally identifiable information
ISO 27001
A.7.2.2: Identify lawful basis
ISO 27701
A.7.2.8: Records related to processing PII
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Documentation of personal data processing purposes for data stores
Limitations on processing sensitive data under legitimate interest
Critical
High
Normal
Low
Processing principles and accountability
2
requirements

Examples of other requirements this task affects

Article 16.1-2: Processing for limited interest
PDPL
Article 16.3-4: Assessment of proposed processing
PDPL
See all related requirements and other information from tasks own page.
Go to >
Limitations on processing sensitive data under legitimate interest
Procedure for introducing new personal data processing purposes
Critical
High
Normal
Low
Processing principles and accountability
4
requirements

Examples of other requirements this task affects

Article 4.6: Processing personal data for other purposes
PDPL
Article 21: Controls for processing personal data for public interest purposes
PDPL
Article 18.1: Further processing of personal data
PDPL
Article 18.2: Processing obligations for the Controller
PDPL
See all related requirements and other information from tasks own page.
Go to >
Procedure for introducing new personal data processing purposes
Policy for processing credit data
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

Article 27: Processing credit data
PDPL
See all related requirements and other information from tasks own page.
Go to >
Policy for processing credit data
Documentation of health data processing stages and responsibilities
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

Article 26: Processing health data
PDPL
See all related requirements and other information from tasks own page.
Go to >
Documentation of health data processing stages and responsibilities
Process for processing based on the data subject's actual interest
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

Article 14: Processing to serve the actual interest of data subject
PDPL
See all related requirements and other information from tasks own page.
Go to >
Process for processing based on the data subject's actual interest
Ensuring secure anonymisation of personal data
Critical
High
Normal
Low
Processing principles and accountability
2
requirements

Examples of other requirements this task affects

Article 9.1-2: Anonymisation
PDPL
Article 15: Processing data from third parties
PDPL
See all related requirements and other information from tasks own page.
Go to >
Ensuring secure anonymisation of personal data
Managing and documenting data subject consent
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

Article 11.1-2: Processing consent
PDPL
See all related requirements and other information from tasks own page.
Go to >
Managing and documenting data subject consent
Ensuring minimal retention of personal data
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

Article 19: Data minimisation
PDPL
See all related requirements and other information from tasks own page.
Go to >
Ensuring minimal retention of personal data
Handling and protection of official identification documents
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

Article 31: Photographing or copying official documents that reveal the identity of data subjects
PDPL
See all related requirements and other information from tasks own page.
Go to >
Handling and protection of official identification documents
Assessment for processing personal data for public interest
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

Article 21: Controls for processing personal data for public interest purposes
PDPL
See all related requirements and other information from tasks own page.
Go to >
Assessment for processing personal data for public interest
Personal data destruction procedure
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

Article 8.1: Right to request destruction of personal data
PDPL
See all related requirements and other information from tasks own page.
Go to >
Personal data destruction procedure
Legitimate interest assessment process
Critical
High
Normal
Low
Processing principles and accountability
3
requirements

Examples of other requirements this task affects

Article 20.5-6: Disclosure operations in the records of personal data processing activities
PDPL
Article 16.1-2: Processing for limited interest
PDPL
Article 16.3-4: Assessment of proposed processing
PDPL
See all related requirements and other information from tasks own page.
Go to >
Legitimate interest assessment process
Managing and sharing data protection impact assessments
Critical
High
Normal
Low
Processing principles and accountability
4
requirements

Examples of other requirements this task affects

Article 8.2: Elements of the data transfer risk assessment
PDPL
Article 25.2-3: Contents and communication of data protection impact assessments
PDPL
Article 25.1: Impact assessment
PDPL
Article 16.3-4: Assessment of proposed processing
PDPL
See all related requirements and other information from tasks own page.
Go to >
Managing and sharing data protection impact assessments
Re-conducting data protection impact assessments after identifying privacy harm
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

Article 25.4: Grounds to re-conduct the assessment
PDPL
See all related requirements and other information from tasks own page.
Go to >
Re-conducting data protection impact assessments after identifying privacy harm
Safeguards for processing data for research purposes
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

Article 30: Collection and processing of data for scientific, research, or statistical purposes
PDPL
See all related requirements and other information from tasks own page.
Go to >
Safeguards for processing data for research purposes
Management of personal data deletion capabilities
Critical
High
Normal
Low
Processing principles and accountability
2
requirements

Examples of other requirements this task affects

Article 43: Individual right to request corrections
CSL (China)
Article 9.1-2: Anonymisation
PDPL
See all related requirements and other information from tasks own page.
Go to >
Management of personal data deletion capabilities
Local storage of personal information and important data (China)
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

Article 37: Storage of personal information
CSL (China)
See all related requirements and other information from tasks own page.
Go to >
Local storage of personal information and important data (China)
Workforce sanctions about privacy violations
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Workforce sanctions about privacy violations
Limiting disclosure of PHI to a specific covered function
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Limiting disclosure of PHI to a specific covered function
Legally authorized personal representatives with respect to PHI
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Legally authorized personal representatives with respect to PHI
Documentation of lawful personal data processing and transfer
Critical
High
Normal
Low
Processing principles and accountability
10
requirements

Examples of other requirements this task affects

§ 19: Behandling av personopplysninger
NIS2 NO
Article 22.3: Collection and protection of users’ personal information
CSL (China)
Article 2.2: Limitations on the transfer or disclosure of data
PDPL
Article 8.2: Elements of the data transfer risk assessment
PDPL
Article 2.3: Ensuring transfer or disclosure does not impact the privacy
PDPL
See all related requirements and other information from tasks own page.
Go to >
Documentation of lawful personal data processing and transfer
Executing and documenting data protection impact assessments
Critical
High
Normal
Low
Processing principles and accountability
12
requirements

Examples of other requirements this task affects

35. Data protection impact assessment
GDPR
36. Prior consultation
GDPR
A.7.2.5: Privacy impact assessment
ISO 27701
TSU-16: Tietosuojariskien hallinta
Julkri
TSU-17 : Tietosuojan vaikutustenarviointi
Julkri
See all related requirements and other information from tasks own page.
Go to >
Executing and documenting data protection impact assessments
Defining and documenting retention times for data sets
Critical
High
Normal
Low
Processing principles and accountability
21
requirements

Examples of other requirements this task affects

5. Principles relating to processing of personal data
GDPR
18.1.3: Protection of records
ISO 27001
21 §: Tietoaineistojen säilytystarpeen määrittäminen
TiHL
PR.IP-6: Data destruction
NIST
A.7.4.2: Limit processing
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Defining and documenting retention times for data sets
Implementation and documentation of balance tests
Critical
High
Normal
Low
Processing principles and accountability
5
requirements

Examples of other requirements this task affects

6. Lawfulness of processing
GDPR
21. Right to object
GDPR
18.1.4: Privacy and protection of personally identifiable information
ISO 27001
TSU-07: Käsittelyn lainmukaisuus
Julkri
See all related requirements and other information from tasks own page.
Go to >
Implementation and documentation of balance tests
Documentation of conditions of consent for relevant processing purposes
Critical
High
Normal
Low
Processing principles and accountability
14
requirements

Examples of other requirements this task affects

7. Conditions for consent
GDPR
17. Right to erasure (‘right to be forgotten’)
GDPR
A.7.2.3: Determine when and how consent is to be obtained
ISO 27701
A.7.2.4: Obtain and record consent
ISO 27701
A.7.3.4: Providing mechanism to modify or withdraw consent
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Documentation of conditions of consent for relevant processing purposes
Purpose limitation of processed, customer-owned data in offered cloud services
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

A.3.1: Public cloud PII processor’s purpose
ISO 27018
See all related requirements and other information from tasks own page.
Go to >
Purpose limitation of processed, customer-owned data in offered cloud services
Getting a proper consent for potential commercial utilization purposes of customer-owned data
Critical
High
Normal
Low
Processing principles and accountability
3
requirements

Examples of other requirements this task affects

A.3.2: Public cloud PII processor's commercial use
ISO 27018
Article 28.1-2: Processing data for advertising or awareness purposes
PDPL
Article 29: Direct marketing
PDPL
See all related requirements and other information from tasks own page.
Go to >
Getting a proper consent for potential commercial utilization purposes of customer-owned data
Process for safe destruction of temporary files and data from data systems
Critical
High
Normal
Low
Processing principles and accountability
3
requirements

Examples of other requirements this task affects

A.5: Data minimization
ISO 27018
A.5.1: Secure erasure of temporary files
ISO 27018
A.8.4.1: Temprorary files
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Process for safe destruction of temporary files and data from data systems
Consent condition review
Critical
High
Normal
Low
Processing principles and accountability
3
requirements

Examples of other requirements this task affects

A.7.2.4: Obtain and record consent
ISO 27701
P2.1: Communication of choices about personal information to data subjects
SOC 2
Article 11.1-2: Processing consent
PDPL
See all related requirements and other information from tasks own page.
Go to >
Consent condition review
Limiting marketing and advertising use of personal data processed under a contract
Critical
High
Normal
Low
Processing principles and accountability
3
requirements

Examples of other requirements this task affects

A.8.2.3: Marketing and advertising use
ISO 27701
Article 28.1-2: Processing data for advertising or awareness purposes
PDPL
Article 29: Direct marketing
PDPL
See all related requirements and other information from tasks own page.
Go to >
Limiting marketing and advertising use of personal data processed under a contract
Restriction of processing for personal data processed on behalf of a customer
Critical
High
Normal
Low
Processing principles and accountability
2
requirements

Examples of other requirements this task affects

A.8.2.2: Organization's purposes
ISO 27701
Article 4.6: Processing personal data for other purposes
PDPL
See all related requirements and other information from tasks own page.
Go to >
Restriction of processing for personal data processed on behalf of a customer
Informing of infringing processing instructions
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

A.8.2.4: Infringing instruction
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Informing of infringing processing instructions
Collection and documentation of explicit consents
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

P3.2: Additional measures when processing requires explicit consent
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Collection and documentation of explicit consents
Data privacy statement process
Critical
High
Normal
Low
Processing principles and accountability
0
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Data privacy statement process
Privacy-related codes of conduct and certification
Critical
High
Normal
Low
Processing principles and accountability
2
requirements

Examples of other requirements this task affects

32. Security of processing
GDPR
TSU-15: Osoitusvelvollisuus
Julkri
See all related requirements and other information from tasks own page.
Go to >
Privacy-related codes of conduct and certification
Regular self-evaluation of the lawfulness of processing personal data
Critical
High
Normal
Low
Processing principles and accountability
5
requirements

Examples of other requirements this task affects

6. Lawfulness of processing
GDPR
9. Processing of special categories of personal data
GDPR
TSU-07: Käsittelyn lainmukaisuus
Julkri
TSU-07.3: Käsittelyn lainmukaisuus - Erityiset henkilötietoryhmät
Julkri
See all related requirements and other information from tasks own page.
Go to >
Regular self-evaluation of the lawfulness of processing personal data
Processing of personal data related to criminal convictions and offenses
Critical
High
Normal
Low
Processing principles and accountability
3
requirements

Examples of other requirements this task affects

10. Processing of personal data relating to criminal convictions and offences
GDPR
TSU-01.1: Käsiteltävien henkilötietojen tunnistaminen - Erityiset henkilötietoryhmät tai rikostuomioihin ja rikoksiin liittyvät tiedot
Julkri
TSU-07.4: Käsittelyn lainmukaisuus - Rikostuomioihin ja rikoksiin liittyvät henkilötiedot
Julkri
See all related requirements and other information from tasks own page.
Go to >
Processing of personal data related to criminal convictions and offenses
Processing of a child's personal data in connection with the provision of information society services based on consent
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

8. Conditions applicable to child's consent in relation to information society services
GDPR
See all related requirements and other information from tasks own page.
Go to >
Processing of a child's personal data in connection with the provision of information society services based on consent
Identifying and complying with additional requirements related to automated decision-making
Critical
High
Normal
Low
Processing principles and accountability
2
requirements

Examples of other requirements this task affects

A.7.3.10: Automated decision making
ISO 27701
TSU-20: Automatisoidut yksittäispäätökset
Julkri
See all related requirements and other information from tasks own page.
Go to >
Identifying and complying with additional requirements related to automated decision-making

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Start free trial
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.
Effortless compliance improvement
Widest framework library in EU
Extensive support

Start your compliance journey

Use in MS Teams or use your browser with Slack integration.
Risk free trial. No credit card required. Stop at any time.

Start free trial
Book a meeting
How it works?
SummarySecurity tasks and assuranceDocumentation workflowsEmployee guidelinesReporting templatesTrust center
Use cases
By frameworkAll frameworksISO 27001NIS2 directiveNIST CSFCSA CCMISO 27701GDPRISO 27017ISO 27018
By methodCyber risk managementEmployee awarenessCompliance reportingControl managementAsset managementPrivacy managementVendor assessmentsInternal audits
Resources
AcademyWebinarsBlogHelp articlesVideo coursesContent libraryGuidesNewsletterLeave a reviewPartner programTeamTerms of usePrivacy policy
Contact us
+358 10 231 6010
team@cyberday.ai
App works in:
Known in Finland as Digiturvamalli
© Cyberday Inc. Kalevantie 2 33100 Tampere, Finland
Cyberday.ai - Improve and certify your cyber security