Contact
The Catalan Data Protection Authority (APDCAT) has renewed the application to facilitate the preparation of Data Protection Impact Assessments (DPIA), an obligation in cases where there is a high risk to the rights and freedoms of individuals. The new application replaces the previous one, from 2020, and represents a substantial step forward, as it improves the user experience and incorporates the catalog of security control measures from the National Security Framework (ENS) in its latest 2022 version, the standard that establishes the information security systems governing the public sector since 2022.
The new application, available for Linux and Windows (MacOS coming soon), allows organizations to carry out a DPIA in a guided and systematic way, through predefined questions, while working locally and in isolation. Users must describe the data processing to be carried out, the type of data, the processes and actors involved, and whether there are transfers to third parties. They must also specify the legal basis for the processing, whether minors’ data, special categories, or criminal data are used, the validity of consent where applicable, and the risks for individuals. Specifically, threats to individuals and the estimated level of risk (low, medium, high, very high) must be identified, as well as safeguards to ensure that individuals can exercise their rights (access, rectification, objection, etc.).
One of the new features is that it incorporates a detailed catalog of measures updated to ENS 2022 to mitigate potential initial risks associated with processing, the impact on individuals, and the likelihood of risk. In addition, the information has been restructured, and the design modified to make navigation more intuitive and attractive, thus improving the user experience. For example, certain questions allow the user to expand additional information through a pop-up window to clarify concepts. At the end, the application provides final conclusions and generates a detailed report on the DPIA results.
New guide and support materials
In addition to the new application, the APDCAT has updated the practical guide Data Protection Impact Assessment, which explains the entire process in detail. It has also prepared a new user manual for the application, an updated template, and an explanatory leaflet to promote the new application during the Authority’s participation in conferences, fairs, or congresses. A promotional video has also been produced to raise awareness of the tool through other channels, such as the APDCAT website and social networks.
Currently, DPD en Xarxa is working on integrating the FRIA Model (a model for carrying out impact assessments on fundamental rights) with the data protection impact assessment, with the aim of reducing the burden on organizations while maximizing the guarantee of individuals’ rights.
The new application incorporates the catalog of measures to mitigate risks, adapted to the 2022 National Security Framework, which is mandatory for public administrations, and improves the user experience with guided navigation.