Data Retention
Satisfaction Guaranteed
You won’t be disappointed
100%
Customizable
1,000
Successful Projects
35
Countries Covered
Your Needs Solved
…instead of just a piece software
450
Data Protection Officers
Security
Not Just Privacy
26,000
Processing Activities
Unique Expertise
We are with you from A to Z
45,000
Trainings Delivered
20
Years in Business

Since 2003
We are one of the providers with the longest experience in the market

International Team
Our data protection expertise is transnational and we work internationally

Privacy Impact Assessment
2B Advice has been named a Sample Vendor in four different Gartner Hype Cycle (Cyber Risk Management, Data Security, Privacy, Legal and Compliance Technologies)

Top 5 % Employer
Received the prestigious award from kununu, one of the leading European platforms for employer evaluation.

ISO 19011
Certified Auditor

Gold Member
IAPP Gold Member

ISO Certified
2B Advice is ISO/IEC 27001:2017 Certified

CIPP
Certified Information Privacy Professionals
Data Retention Policy
Retention policies are policies that establish how data will be archived and for how long it will be kept. Organisations use these policies for planning how to archive data and for how long it should be kept.
It’s hard to know what you need to keep, what you can delete and how long it should be kept for.
You’re not sure how to plan for data retention.
We make it easy for you to create a data retention policy that’s right for your organisation.
Automatic Retention enforcement
Data Retention FAQs?
What is a data protection impact assessment?
A data protection impact assessment (DPIA) is a tool for identifying and mitigating risks to personal data. It examines the processing of personal data, identifies the risks to the individuals being processed, and considers how those risks can be mitigated. A data protection impact assessment should be conducted before any new processing takes place or significant changes are made to existing processing.
What is the purpose of a data protection impact assessment? (DSFA)
The purpose of a DSFA is to help organizations make informed decisions when implementing new technologies and systems by providing them with an overview of the potential risks. Once an organization understands these risks, it can take steps to implement additional controls or safeguards to reduce the impact on people’s privacy. Organizations can also use DSFA documentation as evidence of compliance with regulations such as the General Data Protection Regulation.
What is the goal of a privacy impact assessment?
The goal of a PIA is to minimize the risk of harm from projects, programs, policies and technologies by going through the following steps:
- Identifying threats
- Understanding the likelihood that these threats will occur
- Assessing whether we can mitigate those threats and what is needed to do so
- Addressing any remaining threats.
When should you do a privacy impact assessment?
An initial assessment or initial PIA can be part of a proactive set of assessments when establishing a privacy program. Also, a PIA can be part of an annual audit of the privacy organisation within your company. A PIA seeks to identify the overall compliance risk exposure of a company regarding compliance with privacy regulations.
The outcome of a PIA should identify cases where more specific risk assessments, i.e., DPIA-EU, DPA-US or DTIA need to be carried out.
Whether we are talking about a PIA, a DPA, or a DPIA, typically the governing regulation provides guidelines around areas of risk. The GDPR has the broadest definition in that DPIA is required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons”. However, US state data protection acts have fairly specific definitions.
Most often full data protection assessments or data privacy impact assessments are required reactively, in line with specific regional or national privacy regulations and related to specific activities such as prior to introducing a high risk processing activity or new technology or ones that bring heightened risk to consumer privacy or security such as profiling or targeted advertising.
What are the benefits of a Privacy Impact Assessment?
PIA’s are a best practice for the appropriate and purposeful use of personal data by businesses. A PIA reduces privacy risk by allowing you to identify and mitigate against data protection risks, plan for the implementation of any solutions to those risks, and assess the viability of a project at an early stage.
The result of a PIA enables regulatory compliance, improves control over personal data throughout the data life cycle, and determines authorization and access management. It assists in the prevention of data breaches and personal data misuse or abuse. Importantly, it helps IT, privacy and security leaders to quantify risk to consumers and apply suitable mitigating controls in a timely manner.
How do you conduct a data privacy impact assessment?
The Privacy Impact Assessment is the first step in understanding what the organization needs and requires from the data protection standpoint.
The PIA pinpoints the area that need implementation and improvement for a cohesive and risk adverse development of the data protection program. From the PIA the organization will gather intel on the need for DTIA and what and where a DPIA in needed.
In essence, any project related to the processing of personal data either introduces a new processing activity or at minimum applies new technology to existing processes, and this may cause risk and attack surfaces to change. An initial impact assessment conducted at the initiation of a project protects against the need for retroactive assessment and an endless loop of remediation. An initial assessment can identify where any special categories of personal data or in particular, specially defined high-risk activities are or might be in play.
After you have conducted your organizational information audit, then you would begin building your records of processing activities. The record of processing activities (RoPAs) allows you to make an inventory of data processing and to have an overview of what you are doing with the concerned personal data. RoPAs will include significant information about the data processing activities being carried out.
Who performs Privacy Impact Assessment?
Why is it important to undertake a PIA to understand high risk processing?
The Privacy Impact Assessment is the first step in understanding what the organization needs and requires from the data protection standpoint.
The PIA pinpoints the area that need implementation and improvement for a cohesive and risk adverse development of the data protection program. From the PIA the organization will gather intel on the need for DTIA and what and where a DPIA in needed.
In essence, any project related to the processing of personal data either introduces a new processing activity or at minimum applies new technology to existing processes, and this may cause risk and attack surfaces to change. An initial impact assessment conducted at the initiation of a project protects against the need for retroactive assessment and an endless loop of remediation. An initial assessment can identify where any special categories of personal data or in particular, specially defined high-risk activities are or might be in play.
After you have conducted your organizational information audit, then you would begin building your records of processing activities. The record of processing activities (RoPAs) allows you to make an inventory of data processing and to have an overview of what you are doing with the concerned personal data. RoPAs will include significant information about the data processing activities being carried out.
How much does a Privacy Impact Assessment cost?
What must be included in a privacy impact assessment?
An initial assessment or initial PIA can be part of a proactive set of assessments when establishing a privacy program. Also, a PIA can be part of an annual audit of the privacy organisation within your company. A PIA seeks to identify the overall compliance risk exposure of a company regarding compliance with privacy regulations.
The outcome of a PIA should identify cases where more specific risk assessments, i.e., DPIA-EU, DPA-US or DTIA need to be carried out.
Whether we are talking about a PIA, a DPA, or a DPIA, typically the governing regulation provides guidelines around areas of risk. The GDPR has the broadest definition in that DPIA is required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons”. However, US state data protection acts have fairly specific definitions.
Most often full data protection assessments or data privacy impact assessments are required reactively, in line with specific regional or national privacy regulations and related to specific activities such as prior to introducing a high risk processing activity or new technology or ones that bring heightened risk to consumer privacy or security such as profiling or targeted advertising.
Under Virginia’s CDPA, data controllers are required to conduct data protection assessments of any processing activities that involve personal data used in any of the following: (a) targeted advertising; (b) sale of personal data; (c) for purposes of profiling; (d) sensitive data; and (e) data that presents a heightened risk of harm to consumers.
Under the Colorado Privacy Act, data protection assessments focus on processing that presents a heightened risk of harm to the consumer such as processing for (a) targeted advertising where profiling is a risk of unfair or deceptive treatment, financial or physical injury, or intrusion on solitude or seclusion; (b) the sale of personal data; or (c) processing sensitive data.
Under California’s CPRA updated Section 1798.185 (a)(15), a data protection assessments must be conducted by businesses whose processing of consumers’ personal information present significant risk to consumer’s privacy or security.
CPRA now requires businesses whose processing of consumers ‘personal information presents significant risk to consumers’ privacy or security, to:
(A) perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent. The factors to be considered in determining when processing may result in significant risk to the security of personal information shall include the size and complexity of the business and the nature and scope of processing activities,
(B) submit to the California Privacy Protection Agency (CPPA) on a regular basis a risk assessment with respect to their processing of personal information, including whether the processing involves sensitive personal information, and identifying and weighing the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with such processing, with the goal of restricting or prohibiting such processing if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public. Nothing in this section shall require a business to divulge trade secrets.
Under the EU’s GDPR, DPIAs are not necessary for every processing activity, but are mandatory for any new high risk processing projects and should be carried out prior to the processing (GDPR Article 35) or during the design phase of a new technology.
How long does it take to conduct a data protection impact assessment?
The time required depends on the size and complexity of the data processing activities and the flow of personal data in your organization.
What documentation is needed for the privacy impact assessment?
When you create the privacy impact assessment for a project, you need all relevant information about the project. This includes, by way of example:
- The goals of the project
- The types of data categories that will be used
- The methods that will be used
- The risks associated with the project
- When the data will be deleted
- The terms of use that may be necessary when collecting data
- The behavior of staff and employees with regard to data protection in accordance with company policy
Is there a template for conducting a data protection impact assessment?
No, there are no templates provided for in the GDPR. A data protection impact assessment should be tailored to your specific circumstances.
Who will be affected by the outcome of the privacy impact assessment?
People will be affected by the privacy impact assessment who are associated with the project. This may include customers, colleagues, partners, and others. The success of the project depends on the acceptance of all these people. They must agree or benefit from it.
Our Clients














Latest Blog Posts

The CNIL has released an action plan for privacy-respecting deployment of AI systems in light of recent developments in the field.


2B Advice PrIME is pleased to announce several updates to its Privacy Management solution.


Today marks 20 years since Marcus Belke and Hajo Bickenbach started this amazing company on January 13th, 2003.