Page 75 - EQA Employee Handbook Feb 2020 v1
P. 75

justification for this determination shall be documented in the relevant section of the ‘Data Protection
          Impact Assessment Form’.

          Where a Data Protection Impact Assessment is to be carried out, a new subfolder shall be created in the
          server  location,  \\SERVER\Administration\Data  Protection  Act\Data  Protection  Impact  Assessments\,
          uniquely identifying the nature of the assessment. The subfolder shall contain all relevant documentation,
          including the associated ‘Data Protection Impact Assessment Form’.

          Retained documentation shall ably support the iterative Data Protection Impact Assessment process as laid
          out in the flowchart in Appendix B.

          The Data Protection Impact Assessment should be carried out prior to the data processing, as early as is
          practicable in the design of the processing operation, and should be updated as appropriate both prior to
          and during the data processing.

          EQA (Ireland) senior management are responsible for ensuring the Data Protection Impact Assessment is
          carried out.

          Where the data processing is wholly or partly performed by a data processor, the data processor should
          assist  the  controller  in  carrying  out  the  Data  Protection  Impact  Assessment,  as  well  as  providing  any
          necessary information.

          Where appropriate, in carrying out a Data Protection Impact Assessment, the views of data subjects or
          their representatives should be sought. These views should be sought through appropriate means with a
          lawful basis for processing personal data involved in seeking such views.

          Where the final decision of EQA (Ireland) differs from the views of the data subjects, the reasons for going
          ahead or not should be documented within the ‘Data Protection Impact Assessment Form’.

          Where the views of data subjects are not sought, justification for this should be documented within the
          ‘Data Protection Impact Assessment Form’. Examples of such justifications may include the compromise of
          confidentiality of business plans, or the disproportionality and impracticality of seeking the views of data
          subjects.

          The Data Protection Impact Assessment shall include:
                   •  A description of the envisaged processing operations and the purposes of the processing;
                   •  An assessment of the necessity and proportionality of the processing;
                   •  An assessment of the risks to the rights and freedoms of data subjects;
                   •  The measures envisaged to:
                          o  Address the risks;
                          o  Demonstrate compliance with the GDPR.
          At its discretion, and for the purposes of demonstrating accountability and transparency, EQA (Ireland) may
          publish a summary or conclusion of the Data Protection Impact Assessment.

          Where  the  Data  Protection  Impact  Assessment  indicates  that  the  risks  to  the  rights  and  freedoms  of
          natural persons cannot be sufficiently addressed by EQA (Ireland), the Data Protection Commissioner shall
          be consulted prior to the commencement of any processing. The Data Protection Commissioner shall be
          provided with:
                   •  The respective responsibilities of EQA (Ireland), any joints data controllers, and any data
                       processors involved in the data processing;
                   •  The purposes and means of the intended data processing;
                   •  The measures and safeguards provided to protect the rights and freedoms of data subjects;

                                                                                             Page 74  of 85
   70   71   72   73   74   75   76   77   78   79   80