Skip to Content
TS-RDC-06 Trust & Stewardship Risk, Data & Compliance CORE Compliance v2.9.7

GDPR accountability & DPIA log

Assesses a systematic approach to GDPR compliance, ensuring all new or changed data processing activities are screened for risk, full Data Protection Impact Assessments (DPIAs) are conducted where required, and a formal log is maintained to demonstrate accountability. This rigorous oversight embodies the Islamic principle of muhasabah (accountability) and the imperative of sadd al-dhara'i (blocking the means to harm) by proactively identifying and mitigating risks to safeguard privacy.

Assessment Questions
  1. Is a DPIA screening checklist completed for every new/changed processing activity, and are 'no DPIA required' decisions recorded with rationale?
  2. Does the organization have a documented policy and procedure for conducting DPIAs that includes consultation and Art. 36 triggers?
  3. Is there a formal, centrally managed log to record all screenings/DPIAs, their outcomes, residual risks, and links to the ROPA?
  4. Where residual high risk remains, is there documented Art. 36 escalation (senior sign-off and/or ICO consultation)?
  5. Do DPIAs explicitly assess processors, data sharing, and international transfers, and do outcomes feed contract/DPA requirements?
  6. How are the collective findings from DPIAs used to identify trends and drive continuous improvement?
Evidence Requirements
  • The official DPIA policy, procedure, and assessment template.
  • DPIA screening checklist samples (including 'no DPIA required' cases).
  • The complete DPIA log/register, showing history, residual risks, and status.
  • Examples of completed DPIA reports for high-risk activities.
  • Evidence of DPIA integration in project documentation (stage-gate checklists).
  • Example of ROPA (Art. 30) or Risk Register updates triggered by DPIA findings.
  • Board/SMT paper summarising DPIA log and top privacy risks.
Scoring Guidelines
LevelRatingDescription
5 5/5 Continuous improvement via thematic reviews, quality metrics, and external assurance; DPIA insights proactively inform strategy
4 4/5 DPIA screening mandatory at project initiation; stage-gates enforce 'no-go' without sign-off; residual risks accepted by senior owners
3 3/5 A documented process and template exist; central log is maintained but application may be inconsistent
2 2/5 Minimal process; DPIAs are conducted ad-hoc for some high-risk projects; no formal screening or central log
1 1/5 No DPIA process, screening, or log.

Related Criteria

TS-RDC-01 Multi‑scenario financial stress‑testing documented TS-RDC-02 Complaints & whistle-blowing mechanism TS-RDC-03 Due-diligence on delivery partners TS-RDC-04 Serious-incident reporting & escalation TS-RDC-05 Cyber-security baseline (NCSC Cyber Essentials – UK)
Version
2.9.7 2025-11-05

Discussion (1)

Administrator 2026-03-07 11:07:51.693135

📋 **Version updated: 1.0.0 → 2.9.7** **Changes:** Updated islamic_references from mizan-297.json

Sign in to post a comment.

Back to Criteria