GDPR Article 35: Data Protection Impact Assessment

The General Data Protection Regulation (GDPR) Audit reports provide documentation and compliance artifacts that help you demonstrate compliance with requirements outlined by GDPR.

The GDPR Article 35: Data Protection Impact Assessment report describes and provides access to features in the Alert Logic console that help demonstrate compliance with GDPR Article 35.

To access the GDPR Article 35: Data Protection Impact Assessment report:

  1. In the Alert Logic console, click the menu icon (), and then click Validate.
  2. Click Reports, and then click Compliance.
  3. Under GDPR Audit, click VIEW.
  4. Click GDPR Article 35: Data Protection Impact Assessment.

Filter the Report

To refine your findings, you can filter your report by date range and customer account.

Filter the report using drop-down menus

By default, Alert Logic includes (All) filter values in the report.

To add or remove filter values:

  1. Click the drop-down menu in the filter, and then select or clear values.
  2. Click Apply.

The report summary page displays two columns. Requirements lists each requirement from the selected GDPR Article. Available Documentation and Artifacts describes and contains links to the documentation and compliance artifacts that this report can generate to meet each requirement listed by the GDPR Article.

Available documentation and artifacts

This report provides documentation and artifacts that help you demonstrate that policies and procedures are implemented to protect data by design and by default.

Requirement 1

Requirement 1 of GDPR Article 35 requires that, when using new technologies for processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller must carry out an impact assessment of envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

This section provides you with the following links for quick access to appropriate pages for use as part of your DPIA security testing and analysis in the Alert Logic console:

  • The Deployments page, where you can Manage Scan Schedules for the deployments in your environments to detect software and application vulnerabilities, risky configurations, and systems with encryption issues.
  • The AWS CIS AWS Foundation Benchmark, were you can inspect pre-production AWS workloads and service for misconfigurations or overly permissive access that could expose protected data to attack or unauthorized access.
  • The Risk Reports and Threats Reports , where you can analyze and document the security posture of tested environment including risk levels, threat details, potential impact, and remediation recommendations.

Requirement 2

Requirement 3 of GDPR Article 35 requires the controller to seek the advice of the data protection officer, where designated, when carrying out a data protection assessment.

Alert Logic does not provide data for this requirement .

Requirement 3

Requirement 3 of GDPR Article 35 requires that the data impact assessment from requirement 1 be in the case of:

  1. a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; or
  2. processing on a large scale of special categories of data referred to in Article 9 (1), or of personal data relating to criminal convictions and offenses referred to in Article 10; or
  3. a systematic monitoring of a publicly accessible area on a large scale.

Alert Logic does not provide data for this requirement.

Requirement 4

Requirement 4 of GDPR Article 35 states that the supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data impact assessment pursuant to requirement 1. The supervisory authority shall communicate those lists to the Board referred to in Article 68.

Alert Logic does not provide data for this requirement.

Requirement 5

Requirement 5 of GDPR Article 35 states that the supervisory authority may also establish and make public a list of the kind of processing operations for which no data impact assessment pursuant to requirement 1. The supervisory authority shall communicate those lists to the Board referred to in Article 68.

Alert Logic does not provide data for this requirement.

Requirement 6

Requirement 6 of GDPR Article 35 states that prior to the adoption of lists referred to in requirements 4 and 5, the supervisory authority shall apply the consistency mechanism referred to in Article 63 when the list involves processing activities which are related to the offering of goods or services to the data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the Union.

Alert Logic does not provide data for this requirement.

Requirement 7

Requirement 7 of GDPR Article 35 requires that the assessment must contain at least (a) a systematic description of processing operations and purposes of processing, (b) an assessment of th enecessity and scope of processing operations, (c) a risk assessment to the rights and freedoms of data subjects from requirement 1, and (d) the measures for addressing risks, including safeguards, security measures, and mechanisms to protect personal data.

Alert Logic does not provide data for this requirement

Requirement 8

Requirement 8 of GDPR Article 35 requires the relevant controllers and processors to be compliant with approved codes of conduct from Article 40 while performing the data protection impact assessment.

Alert Logic does not provide data for this requirement.

Requirement 9

Requirement 9 of GDPR Article 35 requires that the controller to seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.

Alert Logic does not provide data for this requirement.

Requirement 10

Requirement 10 of GDPR Article 35 states that when processing pursuant to point (c) or (e) of Article 6(1) has legal basis in Union law or in the law of the Member State to which the controller is subject, that law regulates the specific processing operations in question.

Requirement 10 also states that for a data protection impact assessment that has already been carried out as part of a general impact assessment in the context of the adoption of the legal basis, requirements 1-7 will not apply unless Member States deem it to be necessary to carry out the impact assessment prior to processing activities.

Alert Logic does not provide data for this requirement.

Requirement 11

Requirement 11 of GDPR Article 35 requires the controller to review processing operations when there is a change of the risk represented by processing operations.

Alert Logic does not provide data for this requirement.