What is a DPIA (data protection impact assessments)?
DPIAs (data protection impact assessments) help organisations identify, assess and mitigate or minimise privacy risks to data processing activities. They are particularly important when introducing a new data processing process, system or technology.
DPIAs also help organisations demonstrate compliance with the GDPR’s accountability principle, providing evidence that appropriate measures have been taken.
Failure to adequately conduct a DPIA where appropriate is a breach of the GDPR and could lead to fines of up to 2% of an organisation’s annual global turnover or €10 million – whichever is greater.
Key elements of a successful DPIA
The GDPR does not specify which DPIA process must be followed, but instead allows organisations to introduce a framework that complements their existing working practices. The Data Protection Commission in Ireland has guidance on how and when to carry out a DPIA.
Key elements covered are:
- Identifying whether a DPIA is required;
- Describing the information flows;
- Identifying data protection and related risks;
- Identifying data protection solutions to reduce or eliminate the risks;
- Signing off on the outcomes of the DPIA; and
- Integrating data protection solutions into the project.
When initiating a DPIA as part of your organisation’s GDPR compliance project, it is important to identify whether you have the right training, resources and expertise to fulfil the DPIA requirements. IT Governance Europe’s solutions can help you fill the gaps in your GDPR compliance with consultancy and toolkit solutions.
Why conduct a DPIA?
Article 35 of the GDPR mandates a DPIA be conducted where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”. The three primary conditions identified in the GDPR are:
- If the processing constitutes a systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
- When conducting large-scale processing of special categories of data or of personal data relating to criminal convictions and offences.
- When there is systematic monitoring of a publicly accessible area on a large scale.
When should a DPIA be conducted?
A DPIA should be conducted as early as possible within any new project lifecycle, so that its findings and recommendations can be incorporated into the design of the processing operation.
Known as ‘privacy by design’, the embedding of data privacy features in the design of projects can have the following benefits:
- Potential problems are identified at an early stage.
- Addressing problems early will often turn out easier and cheaper, as the identified solutions can be built into the project plan.
- Increased awareness of privacy and data protection across the organisation.
- Organisations will be less likely to breach the GDPR.
- Actions are less likely to be privacy intrusive and have a negative impact on individuals.
Who should be involved in a DPIA?
Data controllers are responsible for ensuring a DPIA is carried out correctly.
A DPIA should be conducted by people with appropriate expertise and knowledge of the project in question, normally the project team. If your organisation does not have staff with sufficient expertise and experience, you could consider bringing in external specialists to consult or to carry out a DPIA.
Under the GDPR, any organisation with a designated DPO (data protection officer) must seek the DPO’s advice. This advice, and the decisions taken, should be documented as a part of the DPIA process.
Examples of personal data processing where a DPIA is likely to be required
- A hospital processing its patients’ genetic and health data.
- Archiving pseudonymised sensitive data from research projects or clinical trials.
- An organisation using an intelligent video analysis system to single out cars and automatically recognise registration plates.
- A company systematically monitoring its employees’ activities, including their workstations and Internet activity.
- Gathering public social media data for generating profiles.
- An institution creating a national credit rating or fraud database.
The EU’s Article 29 Working Party (WP29), in its guidelines on DPIAs, sets out the criteria that organisations should consider when determining the risks posed by a processing operation. The more criteria that a processing activity meets, the more likely it is to present a high risk to the rights and freedoms of individuals, and therefore to require a DPIA. Read the WP29 guidance on DPIAs >>
Our solutions to help you conduct a DPIA
Speed up and simplify the DPIA (data protection impact assessment) process and ensure compliance with a key GDPR requirement.
Find out more
Book our fixed-price DPIA service and get an assessment of the data protection risks associated with a new or existing data processing operation within your organisation.
Find out more
Receive a complete set of documentation templates that are easy to use, customisable and ensure GDPR compliance, including a DPIA template and tool.
Find out more
Speak to an expert
Please contact our team for advice and guidance on our products and services.