Step 3: Managing risks

Risk management in Dastra can take several forms:

• Data Protection Impact Analysis (DPI / DPA),

• Risk identification and assessment (using the Risk module),

• Audits.

Impact analysis

If you have identified personal data processing operations that are likely to generate high risks for the rights and freedoms of data subjects, you will need to carry out a Data Protection Impact Assessment (DPIA) for each of these operations.

To help you determine whether your processing is likely to give rise to high risks, the following 9 criteria are defined in the G29 guidelines:

1. Evaluation or scoring;

2. Automated decision with legal effect or significant similar effect;

3. Systematic monitoring;

4. Sensitive or highly personal data;

5. Personal data processed on a large scale;

6. Cross-referencing of data sets;

7. Data concerning vulnerable persons;

8. Innovative use or application of new technological or organizational solutions;

9. Exclusion from a right, service or contract.

These criteria are directly integrated into our data processing creation workflow, and you can indicate for each of your processes whether or not an PIA has been carried out on it.

Risk identification and assessment

Dastra's Risk module enables you to manage risks at the level of your processes, your stakeholders (e.g. subcontractors) and your assets.

The risk management methodology complies with standard information systems risk management requirements.

There are 4 steps to follow:

1. risk identification

2. risk assessment

3. risk response

4. risk monitoring

Generally speaking, risk is measured as follows:

Audits

For more information to take risk management, Dastra can also design audits, carry out campaigns and collect the results in the form of exportable audit reports.

That's it, your risks have been identified and assessed! Then move on to step 4, task prioritization.