Data Protection Impact Assessment (DPIA) before the use of the MIRROR tool

Step 1 – Initiation

1. Verify if a DPIA is necessary. A DPIA is necessary if the data processing activity conducted with the MIRROR tool falls in one of the situations below (note: the list is not exhaustive):
   • Assessment of data subjects based on their personal characteristics;
   • Automated decisions are being taken in relation to the rights of data subjects;
   • Systematic and large-scale monitoring;
   • Sensitive data are collected and processed;
   • Large-scale data processing;
   • Data from multiple databases with different purposes are linked;
   • Data from vulnerable data subjects are collected and processed;
   • New technologies are utilised to collect and process data;
   • Blocking of access to a right, service or contract takes place.
2. Verify what type of data processing will be conducted and if any legal effects concerning and affecting natural persons are created.
3. Verifying the positive lists/blacklists of the data protection supervisory authorities and determine if the current type of data processing is included in them.
4. Assess the nature, scope, context, and purpose of processing when determining if it is likely that it will result in a high risk to the data subjects.

Step 2 – Preparation

1. Collect information and document all the relevant subjects participating in the data processing activities. Describe the technical and organisational measures introduced.
2. Identify the data subjects.
3. Identify all current or potential, direct and indirect, internal or external stakeholders that might be involved with the processing, along with an analysis of their motives, interests and abilities to obtain access to or influence the data and processing operations.
4. Compose the DPIA team containing varied specialists including, among others, legal and IT experts.
5. Plan and schedule workshops and deadlines for the DPIA team.

Step 3 – Execution

1. . Determine the data processing goals and damage scenarios, utilising the criteria of each when analysing the data processing that takes place and ascertaining whether the risks involved are either minor, manageable, substantial or major.
2. For each risk identified, document the factors that may lead to its materialization.
3. Select mitigation measures. Address the identified risks and implement technical and organisational measures that would entirely mitigate said risks. If the risks cannot be mitigated, consider the modification of the data processing activity or even its discontinuation. The measures implemented must prioritise the risks in accordance with their severity.
4. Assess if the selected methods and measures reduced the identified risks to an acceptable level. If the risks have not been reduced in a satisfactory manner, additional measures must be undertaken or a data protection supervisory authority must be consulted.
5. Assess the necessity and proportionality of the processing operations. Consider if all the risks are sufficiently mitigated and if there are no longer any high risks.

Step 4 – Implementation

1. Implement and test the mitigation measures. Document their effectiveness. If new risks are identified, address them in accordance with the established methods.
2. If applicable, receive approval from the Data Protection Authority for the introduced mitigation measures.

Step 5 – Sustainability

1. Monitor the risks already identified, the effectiveness of the measures implemented and the processing of personal data.
2. Identify deviations or changes that may occur. Assess if new factors or risks alter the outcome of data processing.
3. Making adjustments in conformity with the newly identified risks. If risks remain high, repeat the steps from the preparation phase to the implementation phase.