privacy-impact-assessment-skills

Guides the combined DPIA and AI Act conformity assessment for AI systems processing personal data. Covers EDPB-EDPS Joint Opinion 5/2021, training data lawfulness under Art. 6 and Art. 9, Art. 22 automated decision-making, algorithmic bias detection, and NIST AI RMF MAP function. Keywords: AI privacy, DPIA, AI Act, algorithmic bias, automated decision-making, Art. 22, training data, NIST AI RMF.

Guides DPIA for biometric processing systems including facial recognition, fingerprint, voice, iris, and gait analysis. Covers Art. 9 special category requirements, Art. 35(3)(b) mandatory DPIA triggers for large-scale biometric processing, and EDPB Guidelines 3/2019 on video surveillance. Keywords: biometric, facial recognition, fingerprint, DPIA, Art. 9, special category, EDPB Guidelines 3/2019.

Guides DPIA for migrating personal data to cloud infrastructure covering controller-processor analysis under Art. 28, international transfer assessment, encryption requirements, and shared responsibility model evaluation. Activate for cloud adoption, SaaS procurement, or data centre migration projects. Keywords: cloud migration, DPIA, Art. 28, processor, encryption, shared responsibility, SaaS, IaaS, PaaS.

Compares PIA/DPIA methodologies: CNIL PIA tool, ICO DPIA template, NIST Privacy Framework, and ISO 29134. Provides methodology selection criteria based on regulatory jurisdiction, organisation maturity, processing complexity, and resource availability. Covers regulatory acceptance, tool features, and cross-methodology mapping. Keywords: PIA methodology, CNIL, ICO, NIST Privacy Framework, ISO 29134, DPIA comparison, assessment.

Guides the end-to-end GDPR Data Protection Impact Assessment process under Article 35, including mandatory trigger identification per Art. 35(3), DPIA content requirements per Art. 35(7), and EDPB WP248rev.01 methodology. Activate for systematic profiling, large-scale special category processing, or large-scale public monitoring. Keywords: DPIA, Article 35, impact assessment, WP248, data protection, risk assessment.

Conducts a Data Protection Impact Assessment for automated decision-making and profiling systems under GDPR Article 35(3)(a), covering algorithmic transparency, meaningful human oversight, contestation mechanisms, and Art. 22 safeguards. Activate for DPIA automated decision, profiling DPIA, algorithmic impact assessment, Art. 35(3)(a), ADM risk assessment queries.

Structures risk mitigation planning and residual risk tracking for Data Protection Impact Assessments under GDPR Article 35(7)(d). Covers mitigation measure identification, implementation tracking, residual risk acceptance, and Art. 36 prior consultation triggers. Keywords: DPIA mitigation, risk treatment, residual risk, Art. 35(7)(d), safeguards, mitigation tracking, prior consultation.

Provides a structured risk scoring methodology for Data Protection Impact Assessments aligned with ENISA threat taxonomy and ISO 29134. Covers likelihood and severity assessment, risk matrix construction, inherent vs residual risk calculation, and risk appetite thresholds per EDPB WP248rev.01 guidance. Keywords: risk scoring, DPIA risk matrix, likelihood, severity, ENISA, ISO 29134, residual risk, risk appetite.

Guides data subject and stakeholder consultation requirements during Data Protection Impact Assessments under GDPR Article 35(9). Covers consultation planning, data subject engagement methods, DPO involvement per Art. 35(2), and documentation of views received. Keywords: DPIA consultation, stakeholder engagement, Art. 35(9), data subject views, DPO advice, public consultation, representative groups.

Guides DPIA for workplace monitoring including email surveillance, internet usage monitoring, CCTV, GPS tracking, and keystroke logging. Covers GDPR Art. 88 employment context provisions, WP29 Opinion 2/2017 on data processing at work, and proportionality balancing for employee monitoring. Keywords: employee surveillance, workplace monitoring, DPIA, Art. 88, WP29 Opinion 2/2017, CCTV, email monitoring, GPS tracking.

Guides DPIA for health and medical data processing covering Art. 9(2)(h)-(j) exemptions, HIPAA crosswalk for transatlantic operations, clinical trial data protection under EU CTR 536/2014, and genetic data specifics under Art. 9(1). Activate for healthcare systems, clinical research, health apps, or medical device data. Keywords: health data, DPIA, Art. 9, clinical trial, genetic data, HIPAA, medical records, special category.

Guides DPIA for marketing profiling, behavioural targeting, cross-device tracking, and advertising analytics. Covers ePrivacy Directive Art. 5(3) cookie consent, PECR regulations, legitimate interest balancing for direct marketing, and adtech processing chain assessment. Keywords: marketing analytics, DPIA, profiling, behavioural targeting, cross-device tracking, ePrivacy, PECR, adtech, legitimate interest.

Guides privacy impact assessment for emerging technologies including IoT, blockchain, AR/VR, quantum computing, and digital twins. Covers risk identification methodology, proportionality assessment, and technology-specific privacy challenges. Activate when evaluating new technology adoption, innovation projects, or emerging tech procurement. Keywords: PIA, emerging technology, IoT, blockchain, AR/VR, quantum computing, digital twins, innovation privacy.

Guides implementation of the NIST Privacy Framework IDENTIFY function covering ID.BE business environment, ID.DA data actions, ID.IM improvement, and ID.RA risk assessment subcategories. Maps NIST PF controls to GDPR requirements for dual-framework compliance. Keywords: NIST Privacy Framework, IDENTIFY function, ID.BE, ID.DA, ID.IM, ID.RA, privacy risk assessment, data actions.

Guides the periodic DPIA review lifecycle including trigger identification for regulatory changes, new data categories, technology changes, and breach incidents. Covers version control, stakeholder sign-off procedures, and DPIA register management per Art. 35(11). Keywords: DPIA review, PIA update, review cadence, version control, Art. 35(11), periodic review, trigger events, stakeholder sign-off.

Conducts pre-DPIA threshold screening to determine whether a full Data Protection Impact Assessment is required under GDPR Article 35. Applies the EDPB WP248rev.01 nine-criteria test, national supervisory authority blacklists, and organisational risk appetite to produce a documented screening decision. Keywords: threshold screening, DPIA trigger, pre-DPIA, WP248, Article 35(1), blacklist, screening decision.

Guides the Art. 36 prior consultation process when a DPIA indicates high residual risk that cannot be mitigated. Covers required documentation per Art. 36(3), the 8-week DPA response timeline, outcome management, and interaction protocols with supervisory authorities. Keywords: prior consultation, Art. 36, supervisory authority, DPA, high residual risk, DPIA escalation, consultation documentation.

Guides the Privacy Threshold Analysis screening process to determine whether a full DPIA is required. Provides a quick-screen questionnaire, threshold criteria based on WP248rev.01, escalation triggers, and documentation requirements. Activate when evaluating new processing activities, system changes, or procurement decisions. Keywords: PTA, privacy threshold analysis, DPIA screening, quick-screen, threshold criteria, WP248, escalation triggers.