Some estimate that only one in three enterprises are in compliance with the GDPR. One of the most overlooked aspects is the carrying out of Data Protection Impact Assessments, or DPIAs. Given that companies often lack the human resources to carry them all out at the same time, it would thus be useful to define an order of priority among the various types of processing requiring a DPIA. To facilitate this task, it is useful to identify the most sensitive processing aimed at highly personal data.
In Luxembourg, while the list of processing for which a DPIA is required was adopted by the National Comission for Data Protection or the CNPD, the list of types of processing for which one is not required is not yet online.
To define the order of priority for DPIAs to carry out, you may consult the list established by the French data protection authority, the Commission nationale de l’informatique et des libertés, or the CNIL, published on 22 October 2019. Even if it is not directly applicable to Luxembourg, the monitoring of consistency under the GDPR allows one to be inspired by the work of other supervisory authorities.
Our Digital team is at your disposal to assist you in your compliance as well as in responding to concerned persons and supervisory bodies.
See also our Luxembourg GDPR retention table – October 2019.