What is a Data Protection Impact Assessment (DPIA) and why does SAP recommend them?
“In order to enhance compliance with this regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk.”
Article 35 paragraph 7 identifies the main data protection impact assessment outcomes:
The data protection impact assessment shall contain at least:
(a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
As indicated in point (a), it is fundamental for a correct definition of a data protection impact assessment to identify the processing operations that legitimate the collection, storage, and processing of personal data.
SAP recommend a data protection impact assessment that involves also the assessment of SAP ERP (CRM, HCM, and Analytics) systems. In general, as part of this process, it is a good practice to define an archiving model where residence time and retention time are defined in a way 100% compliant with business and legal requirement.
Need a data protection impact assessment that also includes your SAP systems? Let the Natuvion team help you! Schedule a one-day workshop.