DPIA > Risk Monitor

Have more questions? Submit a request

A Data Protection Impact Assessment (DPIA) is an instrument designed to help organizations systematically analyze, identify, and minimize the data protection risks of a project or system. DataGrail's Risk Monitor enables organizations are to assess processing scenarios that could result in a “high risk to the rights and freedoms of natural persons”

 

Common Triggers for DPIAs:

  • New Vendors:When a company is obtaining a new piece of technology that may encompass “high risk” processing scenarios and/or especially sensitive data and a DPIA is indicated as determined by an earlier risk assessment, such as a PIA.

  • Changing Business Use:When a vendor has changed something significant about the way they process “high risk” data, or when a customer is changing something about the way they intend to use an existing system.
    • e.g. We are going to be using high-risk new features or pursuing a novel use of a technology such that would warrant a new DPIA.

  • High-Risk Projects:When a company is embarking on a project (e.g. a targeted marketing campaign) that will likely contain high risk processing activities and/or especially sensitive data and a DPIA is indicated as determined by an earlier risk assessment, such as a PIA.

  • Audit:In response to an audit by an external regulatory body or in due course of litigation.

  • Internal Due Diligence:When a DPIA has “expired” based on a company privacy program’s internal retention schedule.

 

DataGrail User Roles

Only the following will have access to the Risk Monitor tab without being assigned as a contributor to an assessment:

  • Super Admin

Additionally, only a Super Admin user is able to 'approve' an assessment.
 

NOTE : Combining any user roles that do not have access to this UI with any of the above user roles that do have access to this functionality will grant a user access to these updates. I.e. If a user had a Connections Manager Role, adding a Super Admin role to their user record in DGAdmin would then allow them access to the new Risk Monitor.

 

Workflow

When the Risk Monitor Assessment is enabled for a Customer, a new header tab will appear within the Customer’s DataGrail account named Risk Monitor located next to Live Data Map. Clicking on this tab will display:

  • All previously created assessments and their associated: name, state and contributor assignee,  personal data likelihood, percentage of completion*, due date*, renewal date*, and the Approving user*
  • The ability to create a new assessment
  • The total count of all created assessments

(* = new features recently added)

All previously created assessments will be sorted in ascending order based on creation date, with the earliest assessment created displaying last on the list.

Screen_Shot_2023-02-12_at_12.52.10_PM.png

Creating a New Assessment

Clicking on the ‘Create New Assessment' button will direct the user to a creation page where they need to specify: 

  • Assessment Name
  • System(s) *ability to add multiple systems
  • Business Process(es) (optional)
  • Due Date (optional)*
  • Renewal Cycle*

(* = new features recently added)

Screen_Shot_2023-02-12_at_12.53.45_PM.png

 

Adding a Contributor

When a contributor email is added to an assessment, an invite email is sent to the email address with: 

  • Subject: “Inviter (first name and last name) from Customer’s_Datagrail_Account_Name has shared an assessment with you”
  • Body: First name, last name and email address of the DataGrail Customer user that created the assessment, the name of the customer’s DataGrail account and the system this assessment is for
  • Clickable link to view and edit the assessment
  • [Optional] Message for Contributor

A contributor can also be added after an assessment has been created if the assessment is in either a ‘Not Started’ or ‘In Progress’ state.

Clicking on the ‘...’ button to the right of an assessment, a user can add a contributor to an already created assessment, utilizing the Invite Contributor option and filling in the email address and an [optional] message to send them an invite. 

If a contributor has already been added to an assessment, clicking on the ‘...’ button to the right of an assessment will display the options to ‘Resend Invite’ or ‘Remove Contributor’. Clicking to Remove Contributor will load a confirmation with context on how the removal of a contributor is also the submission of an assessment. Confirming this action will result in a green notification, will move this assessment into an ‘In Progress’ status (if it was not already), and remove the contributor.

 

Filling out an Assessment

All created assessments have a total of 10 sections where the user is able to add information related to the system on the assessment. 

  • General Information
  • Need for DPIA
  • Consultation Process
  • Data Processing Content
  • Benefits of Processing
  • Lawfulness & Fairness
  • Privacy Rights & Expectations
  • Protective Measures
  • Special Topics
  • Risks & Mitigations

All questions within these sections are optional to complete.

A user can move back and forth between sections by (1) utilizing the Back and Next buttons respectively or (2) by clicking on the section they want to jump to via the list of sections available on the left hand side of the assessment. When a user is on a certain section, that section will be highlighted in blue.

 

Submitting vs. Approving an Assessment

Submitting an Assessment

When an invited contributor has completed filling in the assessment, they are able to Submit this assessment. Clicking this button prompts a confirmation pop up to the user with: 

  • Context around what this action means
  • The ability to add an [Optional] message to the Assessment Owner
  • Buttons to both Cancel and Submit Assessment

 

Approving an Assessment

A Super Admin user is the only user type that can approve an assessment. When an assessment has been submitted by the editing user, it is in an In Progress state. Clicking on the ‘...’ button on the right of this assessment will only display the option to View the assessment.

Clicking "View" will load the submitted assessment with the option to Approve Assessment. Clicking on this button will load a confirmation modal that the super admin will need to confirm for the assessment to be submitted.

risk_monitor3.png

When an assessment is successfully submitted, all approval and change saving ability is replaced at the bottom of the assessment with the option to Download as PDF.

 

Assessment Statuses

There are four statuses an assessment can be in: 

  • Not Started
  • In Progress
  • Pending Approval
  • Approved

Each status will provide a percentage of completion. If the Assessment is "Not Started", the percentage will show as 0%.

 

Not Started

No edits have been saved on this assessment yet by the editing user. This state is still editable by the editing user. 

 

In Progress

This state can occur if:

  1. Edits have been saved on this assessment by the editing user. This state is still editable by the editing user.
  2. The invited contributor on the assessment was removed from the assessment by a Super Admin. This state is still editable by a Super Admin user. 
  3. The invited contributor on the assessment completed the assessment and submitted it. This state is still editable by a Super Admin user.

 

Pending Approval

This state occurs when the invited collaborator(s) completes the assessment and submits for approval. 

 

Approved

This state can only occur if a Super Admin approves an assessment. This state is not editable, only viewable, regardless of user permissions. 

 

If you have any questions about this feature, please reach out to your dedicated CSM or support@datagrail.io.

 

The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.

Articles in this section

Was this article helpful?
0 out of 0 found this helpful