Article 35 of the EU General Data Protection Regulation (GDPR) introduces the concept of data protection impact assessments (DPIAs).
DPIAs help organisations identify and minimise privacy risks in data processing activities. They are essential if you process any high-risk data, but they are also relevant when you are introducing a new data collection process, system or technology.
An effective DPIA ensures the security of your systems, bringing with it not only regulatory compliance but also financial and reputational benefits.
When is a DPIA necessary?
The GPDR states that DPIAs must be conducted where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”. It doesn’t define ‘high risk’, but it generally refers to the use of:
* Systematic and extensive profiling;
* Special category or criminal offence data on a large scale; and
* Systematic monitoring of publicly accessible places on a large scale.
The Article 29 Working Party has produced detailed advice on when a DPIA is necessary.
There are also activities for which a DPIA isn’t required but is still highly beneficial, for example, when introducing new data processing technologies, profiling or targeting services at children, or processing data that might endanger individuals’ physical health.
A DPIA should be conducted as early as possible, as its findings and recommendations can be incorporated into the design of processing operations. You might not have decided what your processing activities will look like, but that shouldn’t be an excuse to delay the assessment. Processing high-risk data without conducting a DPIA is a violation of the GDPR and could lead to disciplinary measures, such as fines.
How to conduct a DPIA
The GDPR doesn’t specify how a DPIA should be carried out, but instead gives organisations the freedom to introduce a framework that complements their existing practices. Nonetheless, there are certain essential steps that you should use as a basis:
1. Identify whether a DPIA is needed.
2. Describe the scope of data processing and how it flows through the organisation.
3. Assess whether any elements of processing are unnecessary or excessive.
4. Identify and assess risks to data.
5. Sign off and record the outcomes of the assessment.
6. Create a data protection plan based on your results.
7. Review the plan’s effectiveness.
Getting help with your DPIA
Because of the importance of DPIAs, the GDPR includes provisions to help organisations. For example, it specifies that data protection officers (DPOs) should provide guidance on the process. Although only some organisations are required to appoint a DPO, it’s beneficial to have one for circumstances such as this.
The DPO’s advice and the decisions you make based on it should be documented as part of the DPIA process.
Additionally, you must seek advice from your supervisory authority if you identify a risk that you can’t mitigate. The authority will provide written advice, but if there is no feasible solution, it might issue a formal warning not to process the data or ban you from processing it altogether.
You should also consider help in the form of dedicated DPIA training. If you’ve already taken a GDPR training course, you’ll know they are designed to give you a broad understanding of everything you need to know without going into depth on particular topics. For detailed advice on DPIAs, you’ll need specific training.
Our DPIA service provides an on-site assessment of the data protection risks associated with a new or existing single data processing operation within your organisation and recommendations on the appropriate controls to mitigate these risks.