Page 70 - EQA Employee Handbook
P. 70
Retained documentation shall ably support the iterative Data Protection Impact Assessment process
as laid out in the flowchart in Appendix B.
7.8.6. The Data Protection Impact Assessment should be carried out prior to the data processing, as
early as is practicable in the design of the processing operation, and should be updated as appropriate
both prior to and during the data processing.
7.8.7.EQA (Ireland) senior management are responsible for ensuring the Data Protection Impact
Assessment is carried out.
7.8.8. Where the data processing is wholly or partly performed by a data processor, the data processor
should assist the controller in carrying out the Data Protection Impact Assessment, as well as providing
any necessary information.
7.8.9. Where appropriate, in carrying out a Data Protection Impact Assessment, the views of data
subjects or their representatives should be sought. These views should be sought through appropriate
means with a lawful basis for processing personal data involved in seeking such views.
7.8.9.1. Where the final decision of EQA (Ireland) differs from the views of the data subjects,
the reasons for going ahead or not should be documented within the ‘Data Protection Impact
Assessment Form’.
7.8.9.2. Where the views of data subjects are not sought, justification for this should be
documented within the ‘Data Protection Impact Assessment Form’. Examples of such
justifications may include the compromise of confidentiality of business plans, or the
disproportionality and impracticality of seeking the views of data subjects.
7.8.10. The Data Protection Impact Assessment shall include:
• A description of the envisaged processing operations and the purposes of the processing;
• An assessment of the necessity and proportionality of the processing;
• An assessment of the risks to the rights and freedoms of data subjects;
• The measures envisaged to:
o Address the risks;
o Demonstrate compliance with the GDPR.
7.8.11. At its discretion, and for the purposes of demonstrating accountability and transparency, EQA
(Ireland) may publish a summary or conclusion of the Data Protection Impact Assessment.
7.8.12. Where the Data Protection Impact Assessment indicates that the risks to the rights and
freedoms of natural persons cannot be sufficiently addressed by EQA (Ireland), the Data Protection
Commissioner shall be consulted prior to the commencement of any processing. The Data Protection
Commissioner shall be provided with:
• The respective responsibilities of EQA (Ireland), any joints data controllers, and any data
processors involved in the data processing;
• The purposes and means of the intended data processing;
• The measures and safeguards provided to protect the rights and freedoms of data subjects;
• The Data Protection Impact Assessment;
• Any other information requested by the Data Protection Commissioner.
7.9. Annual Data Protection Risk Assessment
7.9.1. At least once per annum, a Data Protection Risk Assessment of EQA (Ireland) is carried out by
an external party. The date of the Risk Assessment shall be agreed by the Chief Executive.
7.9.2. The scope of the Risk Assessment shall be agreed prior to the agreed date, but shall include the
following:
• Review of the ‘EQA Personal Data Inventory’, including verification of the stated retention
periods of personal data;
• Review of the adequacy of the current security measures in place to safeguard the personal
data processed by EQA (Ireland);
• Review of risk management practices related to data protection within EQA (Ireland);
• Review of the effectiveness of processes related to Data Protection Impact Assessments.
Page 69 of 79
