Skip to main content
CENEDRIL MANUAL
Open Cenedril
Data Privacy Assistant · DPIA

Conduct a data protection impact assessment (DPIA)

Updated on 3 min Open in Cenedril

Goal Complete a full data protection impact assessment for every high-risk processing activity and capture it as a record.

In Cenedril you run a data protection impact assessment by opening the Data Protection Impact Assessment page in the Data Privacy Assistant. It lists every processing activity marked as requiring a DPIA in the Record of Processing Activities. For each activity you work through necessity, data flow, risk assessment, risk treatment and consultation, confirm the activity, and publish the result as a record.

Open the DPIA page

Open the Data Protection Impact Assessment

Open the Data Privacy Assistant and select the Data Protection Impact Assessment page from the progress bar. The page lists every processing activity that requires a DPIA, each with a status indicator.

The DPIA page with the activities requiring a DPIA and their status indicators.

Add missing activities

If you instead see the notice “No processing activity requiring a DPIA has been identified.”, no activity is marked as requiring a DPIA yet. Use the Go to Record of Processing Activities button to switch to the ROPA and mark the relevant activity. It then appears on the DPIA page.

Expand an activity

Click an activity to expand it. The assessment sections open in the order in which you fill them in.

Fill in the assessment

Confirm necessity and proportionality

In the Necessity and Proportionality Assessment section, tick the four statements on data minimisation, purpose limitation, storage limitation and data subject rights wherever the processing meets them.

Describe the data flow

Under Data Flow Mapping, use the required field to describe how data moves through the processing. With Upload Data Flow Diagram you can also attach a diagram. A click opens it full screen.

Assess the risks

In the Risk Assessment section, click Start Risk Assessment. Select the applicable risk scenarios and rate each one for likelihood and impact. The risk matrix and the summary table consolidate the result.

The risk assessment with scenario selection plus likelihood and impact.

Treat the risks

In the Risk Treatment section, assign suitable measures to the risks. Then reassess the risks to capture the effect of the measures.

Consultation and completion

Document the consultation

In the Consultation section, record whether the Data Protection Officer (DPO) Consultation and the Stakeholder Consultation have taken place. If a high risk remains after treatment, the Supervisory Authority Consultation section shows the notice “High risks remain after treatment”, indicating that a consultation of the supervisory authority is required.

The consultation section with DPO, stakeholders, supervisory authority and review schedule.

Schedule the review

Set a date for the next review in the review schedule. This keeps the assessment current when circumstances change.

Confirm the activity and publish

At the bottom of the activity, click Confirm DPI activity. Once all activities requiring a DPIA are complete, finish the page with Save & Continue. Each completed assessment becomes a record in the Documentation area, and the assistant moves on to the technical and organisational measures.

Result: the activities requiring a DPIA carry the “Complete” status, each finished assessment is stored as a record in the Documentation area, and any remaining high risk has its supervisory authority consultation documented.

Frequently asked questions

Why does no activity appear on the DPIA page?

The DPIA page only shows processing activities that are marked as requiring a DPIA in the Record of Processing Activities (ROPA). Until an activity is marked that way, a notice with a “Go to Record of Processing Activities” button appears. Mark the relevant activity there and it will show up on the DPIA page.

When do I have to consult the supervisory authority?

If a high risk remains after risk treatment, the “Supervisory Authority Consultation” section displays the notice “High risks remain after treatment”. In that case, prior consultation of the supervisory authority under Art. 36 GDPR is required before the processing starts.

Do I need to upload a data flow diagram?

A text description of the data flow is required. The data flow diagram is optional and adds a visual to the description. You can upload an image and open it full screen with a click.

What happens after I complete a DPIA?

Once a DPIA activity carries the “Complete” status and you publish it with “Save & Continue”, it becomes a record in the Documentation area. You can reopen the assessment later and confirm it again after changes.

Can I revise a DPIA later?

Yes. Reopen the activity and adjust the entries. Use the review schedule to set a date for the next regular review so the assessment stays current.

Data Privacy Assistant

Verzeichnis von Verarbeitungstätigkeiten (ROPA) erstellen

So legen Sie im Datenschutz-Assistenten von Cenedril ein Verzeichnis von Verarbeitungstätigkeiten nach Art. 30 DSGVO an und prüfen es gegen Ihre Assets.

Data Privacy Assistant

Datentransfers & TOMs dokumentieren

So dokumentieren Sie interne und externe Datenübermittlungen mit Drittland-Garantien und ordnen jeder Verarbeitungstätigkeit die passenden technischen und organisatorischen Maßnahmen zu.