Data protection impact assessments under the GDPR
DPIAs (data protection impact assessments) help organisations identify, assess and mitigate or minimise privacy risks to data processing activities. They are particularly important when introducing a new data processing process, system or technology.
DPIAs also help organisations demonstrate compliance with the GDPR’s accountability principle, providing evidence that appropriate measures have been taken.
Failure to adequately conduct a DPIA where appropriate is a breach of the GDPR and could lead to fines of up to 2% of an organisation’s annual global turnover or €10 million – whichever is greater.
How IT Governance Europe can help you
We have a selection of DPIA services that can support your organisation’s GDPR compliance, no matter how far along your project is.
Browse our range of GDPR products and services below to find out more, or get in touch with our GDPR team for advice and guidance about the support options.
Why conduct a DPIA?
Article 35 of the GDPR mandates a DPIA be conducted where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”. The three primary conditions identified in the GDPR are:
- If the processing constitutes a systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
- When conducting large-scale processing of special categories of data or of personal data relating to criminal convictions and offences.
- When there is systematic monitoring of a publicly accessible area on a large scale.
When should a DPIA be conducted?
A DPIA should be conducted as early as possible within any new project lifecycle, so that its findings and recommendations can be incorporated into the design of the processing operation.
Known as ‘privacy by design’, the embedding of data privacy features in the design of projects can have the following benefits:
- Potential problems are identified at an early stage.
- Addressing problems early will often turn out easier and cheaper.
- Increased awareness of privacy and data protection across the organisation.
- Organisations will be less likely to breach the GDPR.
- Actions are less likely to be privacy intrusive and have a negative impact on individuals.
Who should be involved in a DPIA?
Data controllers are responsible for ensuring the DPIA is carried out correctly.
The DPIA should be conducted by people with appropriate expertise and knowledge of the project in question, normally the project team. If your organisation does not have staff with sufficient expertise and experience, you could consider bringing in external specialists to consult or to carry out the DPIA.
Under the GDPR, any organisation with a designated DPO (data protection officer) must seek the DPO’s advice. This advice and the decisions taken should be documented as a part of the DPIA process.
Examples of personal data processing where a DPIA is likely to be required
- A hospital processing its patients’ genetic and health data.
- Archiving pseudonymised sensitive data from research projects or clinical trials.
- An organisation using an intelligent video analysis system to single out cars and automatically recognise registration plates.
- A company systematically monitoring its employees’ activities, including their workstations and Internet activity.
- Gathering public social media data for generating profiles.
- An institution creating a national credit rating or fraud database.
The EU’s Article 29 Working Party (WP29), in its guidelines on DPIAs, sets out the criteria that organisations should consider when determining the risks posed by a processing operation. The more criteria that a processing activity meets, the more likely it is to present a high risk to the rights and freedoms of individuals, and therefore to require a DPIA. Read the WP29 guidance on DPIAs >>
Key elements of a successful DPIA
The GDPR does not specify which DPIA process must be followed, but instead allows organisations to introduce a framework that complements their existing working practices. The Data Protection Commission in Ireland has guidance on how and when to carry out a DPIA.
Find out more here >>
Key elements of a successful DPIA are:
- Identifying whether a DPIA is required;
- Defining the characteristics of the project to enable the risks to be assessed;
- Identifying data protection and related risks;
- Identifying data protection solutions to reduce or eliminate the risks;
- Signing off on the outcomes of the DPIA; and
- Integrating data protection solutions into the project.
When initiating a DPIA as part of your organisation’s GDPR compliance project, it is important to identify whether you have the right training, resources and expertise to fulfil the DPIA requirements. IT Governance Europe’s solutions can help you fill the gaps in your GDPR compliance with consultancy and toolkit solutions.
Our solutions to help you conduct a DPIA
Speak to an expert
Please contact our team for advice and guidance on our products and services.