The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:
The purpose of a data protection impact assessment is to help identify, assess and manage the risks involved in the processing of personal data. An impact assessment must be carried out when the processing of personal data is likely to pose a high risk to people's rights and freedoms. Risks are increased by, for example, the use of new technologies, the processing of sensitive personal data, the automation of personal characteristics or the scale of processing in general.
Task owner regularly evaluates organisation's processing of personal data, in particular, the databanks and related processing purposes and the data systems used, in order to determine the need for impact assessments. Task owner is also responsible for ensuring the identified impact assessments get conducted and documented.