In the vernacular of the GDPR, a Target refers to the association between an entity and a data processing activity. A GDPR DPIA target assessment is run on a target to identify whether it is a data processing activity, and if the assessment comes back and the target is identified as high-risk, you can create a DPIA risk to run a DPIA assessment on the target to determine how the risk can best be mitigated.

1. Navigate to GDPR DPIA > Data Processing Activity > Create Target.
   
2. Fill in the fields, as needed.

   Field	Description
   Name	Enter the name of the target.
   Owned by	Select the owner for this target.
   Description	Enter a description that describes the target.
   Active	Select this check box to activate the target.
   Entity	Select the entity associated with this target. An entity can have only one target associated with it.
   Framework	This field defaults to GDPR DPIA.

3. Do one of the following:
   • To save the data, click Update.
   • To identify the target record as a data processing activity, click here.
   • To modify the list of assessment respondents, click the Preliminary Assessments tab.
   • To perform a preliminary assessment on the target, click Send Assessments.
   • To perform a DPIA assessment on the target, click Generate DPIA.

Identifying a target as a data processing activity is the first step in determining whether a data processing assessment should be performed on the target.

1. Navigate to GDPR DPIA > Data Processing Activity > All Targets.

   

2. Select the target record you want to identify as a data processing activity.
3. Click Update.
   Two related lists appear: GDPR DPIA and GDPR Preliminary Assessment.

   

4. On the GDPR DPIA tab, select the Data Processing Activity check box.
5. Fill in the fields, as needed.

   Field	Description
   Approval Status	Displays the current status of the approval process.
   Purpose	The purpose of the target. Include information such as where the activity is applicable.
   Necessity and proportionality	An assessment of the necessity and proportionality of the target in relation to its purpose.
   Known measures	Measures for addressing the risk, including safeguards, security measures, and mechanisms to ensure the protection or personal data.
   Evaluation Criteria	Click the lock icon and select the criteria to be considered to evaluate whether the target likely results in high-risk. The criteria are: Evaluation or scoring Automated decision-making with legal or similar significant effect Systematic monitoring Sensitive data or data of a highly personal nature Data processed on a large scale Matching or combining datasets Data concerning vulnerable data subjects Innovative use or applying new technological or organizational solutions Preventing data subjects from exercising a right or using a service or contract
   Uses existing DPIA?	Select this check box if the target uses a pre-existing DPIA, then click the lock icon and select the DPIAs associated with this target from the list.
   Is advised by Data Processing Officer?	Select this check box if the target requires the approval of a Data Processing Officer, then click the lock icon and select the appropriate Data Processing Officer from the list.
   Uses approved Code of Conduct?	Select this check box if the target must be compliant with a Code of Conduct when its impact is accessed, then enter the name of the Code of Conduct in the text box.
   Seeks Data Subject views?	Select this check box if the target requires that the views of data subjects or their representatives be reviewed, then enter the data subject views in the text box.
   In existence prior to GDPR?	Select this check box if the target existed prior to the creation of the GDPR. Note: The requirement to carry out the DPIA applies to all existing data processing activities that are likely to result in a high risk to the rights and freedoms of natural persons for whom there has been a change of the risks.
   Is of high-risk?	Select this check box this is a high-risk target. Note: Even if there are no indications of likely high risk, consider performing a DPIA assessment for any major data processing activities that involve the use of personal data.

   Note: You have two options for filling out the fields on the GDPR DPIA tab. You can manually fill them out yourself as described above, or if you do not know the answers to the questions, you can generate an assessment for someone else who does, and then copy their responses from the assessment to the target form as describe below.
6. To generate an assessment for another user, perform these steps.
   1. Click the GDPR Preliminary Assessment tab.
   2. In the Assessment Respondents field, click the lock icon and select the user you want to fill out the form. When you have selected the responder, click the Lock icon again.
   3. Click Send Assessments. After the selected user has taken the assessment, a Copy Assessment Responses button appears.

      

   4. Click Copy Assessment Responses. The completed assessment record is shown.

      

   5. You can click View Response to view the assessment answers.
   6. Select the record and click Copy. The answers provided by the selected respondent are copied to the GDPR DPIA.
7. When you have completed the fields, do one of the following:
   • To save the data, click Update.
   • To modify the list of assessment respondents, click the Preliminary Assessments tab.
   • To perform a preliminary assessment on the target, click Send Assessments.
   • To generate a DPIA risk and initiate a DPIA assessment on the target, click Generate DPIA.
   • If you selected the Is advised by Data Processing Officer? check box and selected an approver, a Request DPO Approval button appears. Click this button to request approval from the selected approver. All fields on the GDPR DPIA tab become read-only. If further modification is needed, you can click Reset Approval.

You can initiate a preliminary assessment on a target to determine whether it is deemed to be a high-risk operation and to decide what mitigation procedures are needed. After the preliminary assessment is initiated, the selected assessment respondents can take the assessment.

1. Navigate to GDPR DPIA > Data Processing Activity > All Targets.

   

2. Open the target record you want to perform a preliminary assessment for.

   

3. Be sure that the Framework field shows GDPR DPIA.
4. Click the GDPR Preliminary Assessment tab.

   

5. Be sure the Assessments field shows GDPR DPIA Targets Assessment.
6. In the Assessment Respondents field, click the lock icon and select the users you want to take the preliminary assessment for the target.
7. When you have selected the responders, click the Lock icon again.
8. Click Send Assessments.
   The assessments are sent to the selected respondents and a message shows the number of assessments created. Also, the Assessments tab shows the assessment records.

   

9. To request the Data Processing Officer's approval, click the Request DPO Approval related link.
10. After respondents have responded, you can view their responses by clicking View Responses on the Assessments tab.

When you have been identified as a respondent of a preliminary assessment, you must access and take the assessment.

1. Navigate to GDPR DPIA > Data Processing Activity > My Preliminary Assessments.
   All assessments for which you are a requested respondent are shown.

   

2. Open the assessment you want to take.

   

   The fields are described here.

   Field	Description
   Number	Auto-generated record number.
   Metric type	Metric type of this assessment.
   Due date	Date by which the assessment must be completed. The system populates the due date from the value in the metric type Assessment duration field. The system generates email notifications related to the due date. Note: By default, the system runs the Cancel Expired Assessments script every 30 days to cancel expired survey, assessment, and quiz instances that are in the Work in progress or Ready to take states.
   Expiration date	Date by which the assigned user can repeat the assessment.
   State	State of the assessment.
   Assigned to	User this assessment is assigned to. This field becomes read-only when the state is In progress, Complete, or Canceled.
   Signature result	Verification provided by the recipient when a signature is required. This value is either the recipient's full name from the User [sys_user] table or checked, indicating that the recipient acknowledged reading the assertion by selecting a check box.

3. Click Take Assessment.

   

4. Answer the questions to the best of your ability, then click Submit.

Risk executives and Data Processing Officers can view the responses from individual assessment takers.

1. Navigate to GDPR DPIA > Data Processing Activity > All Preliminary Assessments.

   

2. Click the assessment number of the assessment you want to review.

   

3. Click the View User's Response related link.