DPIAs (data protection impact assessments) under the GDPR
What is a DPIA?
DPIAs help organisations identify, assess and mitigate or minimise privacy risks with data processing activities. They are particularly relevant when introducing a new data processing process, system or technology.
DPIAs also support the EU GDPR’s (General Data Protection Regulation) accountability principle, helping organisations prove that they have taken appropriate measures as required by the Regulation.
Failing to adequately conduct a DPIA where mandated constitutes a breach under the GDPR and could lead to fines of up to 2% of an organisation’s annual global turnover or €10 million – whichever is greater. Read more about the fines and penalties under the GDPR.
For advice and guidance on conducting a DPIA, get in touch with one of our GDPR experts.
Speak to an expert
Key elements of a successful DPIA
The GDPR does not specify a DPIA process to follow; instead, it allows for organisations to introduce a framework that complements their existing working practices. Carrying out a privacy impact assessment as suggested by the UK’s ICO (Information Commissioner’s Office) and the CNIL (Commission Nationale de l’Informatique et des Libertés) is an example of such a framework.
A DPIA will typically consist of the following key steps:
- Identify the need for a DPIA.
- Describe the information flow.
- Identify data processing and related risks.
- Identify solutions to reduce or eliminate these risks.
- Sign off the outcomes of the DPIA.
- Integrate data protection solutions into the project.
Why should organisations conduct a DPIA?
The GDPR mandates a DPIA to be conducted where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”. The three primary conditions identified in the GDPR are:
- A systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
- Processing of special categories of data or personal data relating to criminal convictions and offences on a large scale.
- Systematic monitoring of a publicly accessible area on a large scale.
Examples of personal data processing where a DPIA is likely to be required:
- A hospital processing its patients’ genetic and health data on its information system.
- The archiving of pseudonymised sensitive data from research projects or clinical trials.
- An organisation using an intelligent video analysis system to single out cars and automatically recognise registration plates.
- An organisation systematically monitoring its employees’ activities, including their workstations and Internet activity.
- The gathering of public social media data for generating profiles.
- An institution creating a national-level credit rating or fraud database.
The WP29 (Article 29 Working Party), in its guidelines on DPIAs, sets out the criteria that organisations should consider when determining the risks posed by a processing operation. The more criteria are met, the more likely it is to present a high risk to the rights and freedoms of individuals, and therefore to require a DPIA.
Read the WP29 guidance on DPIAs >>
When should a DPIA be conducted?
A DPIA should be conducted as early as possible within any new project lifecycle so that its findings and recommendations can be incorporated into the design of the processing operation.
Known as privacy by design, the embedding of data privacy features in the design of projects can have the following benefits:
- Potential problems are identified at an early stage.
- Addressing problems early will often be easier and cheaper.
- Increased awareness of privacy and data protection across the organisation.
- Organisations will be less likely to breach the GDPR.
- Actions are less likely to be privacy intrusive and have a negative impact on individuals.
Who should be involved in conducting a DPIA?
Data controllers are responsible for ensuring a DPIA is carried out.
The DPIA should be conducted by those with appropriate expertise and knowledge of the project in question, normally the project team. If your organisation does not possess sufficient expertise and experience internally, you could consider bringing in external specialists to consult or to carry out the DPIA.
Find out more about outsourcing a DPIA >>
Under the GDPR, it is necessary for any organisation with a designated DPO (data protection officer) to seek advice. This advice and the decisions taken should be documented as a part of the DPIA process.
Our solutions to help you conduct a DPIA
When initiating a DPIA as part of your organisation’s GDPR compliance project, it is important to identify whether you have the right training, resources and expertise to fulfil the DPIA’s requirements. IT Governance’s solutions can help you fill the gaps in your GDPR compliance with training and consultancy solutions.
Book our fixed-price DPIA service to get an assessment of the data protection risks associated with a new or existing data processing operation within your organisation.
Learn more >>
The market-leading EU GDPR Documentation Toolkit provides you with a complete set of documentation templates that are easy to use, customisable and ensure GDPR compliance, including a DPIA template and tool.
Shop now >>
Take a free trial >>
Speak to an expert
If you need guidance or advice on conducting a DPIA, or would like to learn more about how our services can help you fulfil your DPIA requirements, please get in touch with our team of GDPR experts.