DPIA (data protection impact assessment) is a type of risk assessment designed to identify the risks affecting the security of personal data. A DPIA will help you understand the likely consequences of processing such data. Understanding what a DPIA is is all part of you being GDPR compliant.
They are a useful accountability tool: the results of a DPIA will help you demonstrate that you have taken the appropriate technical and organisational measures required by the GDPR (General Data Protection Regulation). It’s particularly important to carry one out when introducing new processes, systems or technologies for processing personal data.
When should you conduct a DPIA?
- Data controllers are responsible for conducting DPIAs as required by Article 35 of the GDPR.
- Data processors must assist the controller with its DPIAs, according to Article 28 of the GDPR.
When is a DPIA needed?
If data processing is likely to result in the rights and freedoms of data subjects, then a DPIA is needed. This is particularly in cases of:
- Automated decision-making, including profiling, that could significantly affect data subjects;
- Large-scale processing of special categories of data or personal data relating to criminal convictions and offences; and
- Systematic large-scale monitoring of public areas.
The ICO (Information Commissioner’s Office) clarifies that it requires a DPIA to be conducted in the following cases:
- New technologies are in use
- Profiling or sensitive data is in use to decide on access to services;
- Profiling individuals on a large scale;
- Processes biometric or genetic data;
- Matches data or combines data sets from different sources;
- Involves ‘invisible processing’;
- Tracks data subjects’ location or behaviours;
- Profiles children or targets them for marketing or online services; or
- Involves data that might endanger data subjects’ physical health or safety in the event of a security breach.
What is high-risk processing?
Identifying high-risk processing is not easy. However, any process that meets the criteria set out in Article 35 of the GDPR can therefore be considered high risk. Guidance is also provided by the ICO and the WP29 (Article 29 Working Party).
There may be some cases where processing doesn’t meet the GDPR, ICO or WP29 criteria. However, this still represents a high risk to data subjects. It’s always best to err on the side of caution and conduct a DPIA if in doubt.
Making the DPIA process easier
Identifying high-risk processing is not easy. However, any process that meets the criteria set out in Article 35 of the GDPR, then they can be considered high risk. Guidance is also provided by the ICO and the WP29 (Article 29 Working Party). The latter has now been replaced by the European Data Protection Board.
Making the DPIA process easier
The DPIA process is complicated. This is particularly important if the GDPR itself does not specify a process for you to follow. Therefore, you might doubt that you are carrying it out in a compliant manner. This is where we can help you.
Our team will work through the six steps with you in order to complete a GDPR-compliant DPIA.
- Process description: This is a series of questions where we ask you for information about the processes required.
- Screening: This is a series of questions that help you understand whether you need to conduct the DPIA.
- Consultation: We ask you about the parties you’ve consulted (such as data subjects or their representatives).
- Principles questionnaire: this where we discuss the necessity and proportionality of processing. We will want to know about the measures you have in place. Do they uphold data protection principles and data subject rights?
- Privacy risk assessment: We work with you to identify individual risks to the rights and freedoms of data subjects, including evaluating levels of risks and determining risk responses.
- Review: the DPIA has been reviewed and therefore a decision has been made with regards to the process going ahead.
You don’t have to be an expert to complete a DPIA. We have the expertise you need. Our DPIA Service will make sure that you answer the questions you need to, in order to be GDPR compliant.