Data Protection Impact Assessment (DPIA) & Risk Management Framework
Part IV of the Mentora Tanzania Legal Framework
Effective Date: 1 January 2026 ยท ยฉ 2026 Mentora Tanzania โ A solution by Evolucion Technologies Company Limited
28. Purpose and Scope
This Data Protection Impact Assessment (DPIA) framework establishes the methodology by which Mentora Tanzania identifies, assesses, and mitigates risks to the rights and freedoms of data subjects arising from the processing of personal data through the Platform.
A DPIA shall be conducted before implementing any new processing activity, technology, or system change that is likely to result in a high risk to data subjects, particularly where the processing involves:
- Large-scale processing of children's data
- Systematic monitoring or profiling of individuals
- Automated decision-making with legal or significant effects
- Processing of sensitive personal data at scale
- Cross-border data transfers
- Adoption of new AI models or machine learning algorithms
29. DPIA Methodology
The DPIA process shall follow a structured methodology:
- Description of Processing: Document the nature, scope, context, and purpose of the proposed processing activity.
- Necessity and Proportionality Assessment: Evaluate whether the processing is necessary and proportionate to the stated purpose.
- Risk Identification: Identify potential risks to the rights and freedoms of data subjects.
- Risk Assessment: Evaluate each risk based on likelihood and severity using the risk matrix defined in Section 30.
- Mitigation Measures: Define technical and organizational measures to mitigate identified risks.
- Residual Risk Evaluation: Assess remaining risk after mitigation measures are applied.
- Approval and Documentation: Obtain approval from the Data Protection Officer and document the assessment.
- Review and Monitoring: Establish ongoing monitoring and periodic review schedules.
30. Risk Assessment Matrix
Risks shall be assessed using the following matrix, combining likelihood and impact severity:
| Likelihood / Severity | Low Impact | Medium Impact | High Impact | Critical Impact |
|---|---|---|---|---|
| Very Likely | Medium | High | Critical | Critical |
| Likely | Low | Medium | High | Critical |
| Possible | Low | Low | Medium | High |
| Unlikely | Low | Low | Low | Medium |
31. Privacy Risk Categories
The following risk categories shall be assessed for each processing activity:
A. Unauthorized Access
Risk of personal data being accessed by unauthorized persons, including external attackers or internal personnel without appropriate clearance.
B. Unlawful Disclosure
Risk of personal data being shared with third parties without proper legal basis, consent, or contractual safeguards.
C. Data Loss or Destruction
Risk of personal data being permanently lost due to system failure, natural disaster, or malicious action.
D. Inaccuracy
Risk of decisions being made based on inaccurate, outdated, or incomplete personal data.
E. Excessive Collection
Risk of collecting more personal data than is necessary for the stated purpose.
F. Harm to Vulnerable Persons
Risk of processing that could cause harm to children, students, or other vulnerable data subjects.
32. Mitigation Strategies
For each identified risk, the Company shall implement one or more of the following mitigation strategies:
- Technical Controls: Encryption, access controls, pseudonymization, automated monitoring, intrusion detection systems, and secure coding practices.
- Organizational Controls: Staff training, confidentiality agreements, clear data handling policies, segregation of duties, and regular compliance reviews.
- Contractual Controls: Data processing agreements with sub-processors, standard contractual clauses for international transfers, and binding service level commitments.
- Risk Transfer: Cyber liability insurance, indemnification clauses, and third-party security certifications.
- Risk Avoidance: Eliminating unnecessary processing activities or choosing less intrusive alternatives.
33. DPIA Review Schedule
DPIAs shall be reviewed and updated:
- Annually as part of the Company's compliance review cycle
- Upon any significant change to processing activities, systems, or technology
- Following any data breach or security incident
- Upon changes to applicable data protection legislation
- At the request of a Data Controller (Institution) or regulatory authority
All DPIA records shall be maintained for a minimum of five (5) years and made available to regulatory authorities upon request.
34. Governance and Accountability
The DPIA process is overseen by the Company's Data Protection Officer (DPO), who is responsible for:
- Ensuring DPIAs are conducted for all high-risk processing activities
- Reviewing and approving DPIA outcomes before processing begins
- Escalating unresolved high or critical risks to the Board of Directors
- Maintaining a register of all DPIAs conducted
- Reporting annually to the Board on data protection risk posture
Contact
For DPIA-related inquiries, contact: mentoratanzania@gmail.com.