Page 76 - EQA Employee Handbook Feb 2020 v1

P. 76

• The Data Protection Impact Assessment;
• Any other information requested by the Data Protection Commissioner.

7.9. Annual Data Protection Risk Assessment

At least once per annum, a Data Protection Risk Assessment of EQA (Ireland) is carried out by an external
party. The date of the Risk Assessment shall be agreed by the Chief Executive.

The scope of the Risk Assessment shall be agreed prior to the agreed date, but shall include the following:
• Review of the ‘EQA Personal Data Inventory’, including verification of the stated retention
periods of personal data;
• Review of the adequacy of the current security measures in place to safeguard the personal
data processed by EQA (Ireland);
• Review of risk management practices related to data protection within EQA (Ireland);
• Review of the effectiveness of processes related to Data Protection Impact Assessments.

• Review of the Data Protection Policy.

Following completion of the Risk Assessment, a report shall be provided to the Chief Executive outlining
any identified nonconformities and/or opportunities for improvement, including any recommendations to
carry out a Data Protection Impact Assessment.

Appendix A

Table 1 List of documents referenced in the Data Protection Policy

Doc. No. Document Title Issue Date Location

N/A EQA (Ireland) Limited On- N/A 06/06/2018 \\SERVER\Administration\New
Line Certification Website Website
Privacy Statement
(www.securitycert.eqa.ie)

N/A EQA (Ireland) Limited N/A 06/06/2018 \\SERVER\Administration\New
Privacy Statement Website
(www.eqa.ie)

EQA (Ireland) General Terms & 2 06/06/2018 \\Server\eqa qms\Term &
Limited – Conditions Conditions of sale
General
Terms &
Conditions

Independent Independent Service 4 Oct 2017 \\Server\eqa qms\Assessors\Z
Service Contract Assessor Service Agreements
Contract

Info_Security Information Security Policy 1 Sep 2012 \\Server\eqa qms\Information
Security

Page 75 of 85

71 72 73 74 75 76 77 78 79 80 81