GDPR accountability & DPIA log
Assesses a systematic approach to GDPR compliance, ensuring all new or changed data processing activities are screened for risk, full Data Protection Impact Assessments (DPIAs) are conducted where required, and a formal log is maintained to demonstrate accountability. This rigorous oversight embodies the Islamic principle of muhasabah (accountability) and the imperative of sadd al-dhara'i (blocking the means to harm) by proactively identifying and mitigating risks to safeguard privacy.
| Metric | DPIA Screening & Completion Rate |
|---|---|
| Target | 100% |
| Frequency | Annual |
| Method | Audit of new processing activities vs. screening records & DPIA log |
| Unit | Percentage |
Level 1: Initial/Ad-hoc
No formal process for data protection impact assessments (DPIAs) exists. High-risk data processing activities are not systematically identified or assessed.
Level 2: Developing
An informal, ad-hoc process for assessing data protection risks exists. DPIAs are conducted reactively for some high-risk projects, but not consistently. No formal screening or central log is maintained.
Level 3: Established
A documented process and template for conducting DPIAs are defined. A central log for tracking DPIAs is established, but its application may be inconsistent across the organization.
Level 4: Advanced
DPIA screening is mandatory at project initiation; full DPIA completed before procurement or go-live for high-risk processing. Stage-gate checklists include lawful basis, retention, and security controls. Residual risk is accepted only by named senior owners.
Level 5: Optimizing
The DPIA process is subject to continuous improvement via annual thematic reviews and quality metrics. Insights from DPIAs proactively inform strategy, policy updates, and targeted training. External assurance is performed periodically.
Organisation Types
By Organisation Size
| Size | Applicability | Notes |
|---|---|---|
| Micro | exempt | Formal DPIA logs and screening checklists for every activity are disproportionate; basic privacy notices and secure storage suffice. |
| Small | partial | Requires a basic data protection policy and a named contact, but formal DPIA screening for every minor change is disproportionate. |
| Medium | partial | Needs a documented policy, staff training, and a named lead; however, DPIA processes can be scaled to focus only on high-risk or major system changes. |
| Large | full | |
| Major | full |
Applicable When
- Organization collects and processes personal data of individuals within the GDPR's scope
- Organization operates within a jurisdiction subject to GDPR or processes data of individuals within that jurisdiction.
Not Applicable When
- Organization does not collect or process any personal data
- Organization is entirely outside the jurisdiction and scope of GDPR, with no activities impacting individuals within the region
Related Criteria
Discussion (1)
📋 **Version updated: 1.0.0 → 2.9.7** **Changes:** Updated islamic_references from mizan-297.json
Sign in to post a comment.