Data Protection Impact Assessment under the GDPR (DPIA)
DPIAs (data protection impact assessments) help organisations identify, assess and mitigate or minimise privacy risks to data processing activities. They are particularly important when introducing a new data processing process, system or technology.
DPIAs also help organisations demonstrate compliance with the GDPR’s accountability principle, providing evidence that appropriate measures have been taken.
Failure to adequately conduct a DPIA where appropriate is a breach of the GDPR and could lead to fines of up to 2% of an organisation’s annual global turnover or €10 million – whichever is greater.
Speak to an expert
When is a DPIA needed?
The GDPR states three cases in which DPIAs must be conducted:
“Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling”.
Where processing sensitive data (e.g. health data, race, political opinions etc.) on a large scale.
”Systematic monitoring of a publicly accessible area on a large scale”.
The Regulation also stipulates that national data protection authorities must make public a list of the kind of processing operations that are subject to these requirements.
In addition, the GDPR provides that each SUpervisory Authority must produce further guidance as to those processing activities which requires a DPIA and those which do not. The guidelines provided by the Belgian Supervisory Authorities can be accessed here.
When should a DPIA be conducted?
A DPIA should be conducted as early as possible within any new project lifecycle, so that its findings and recommendations can be incorporated into the design of the processing operation.
Known as ‘privacy by design’, the embedding of data privacy features in the design of projects can have the following benefits:
- Potential problems are identified at an early stage.
- Addressing problems early will often turn out easier and cheaper.
- Increased awareness of privacy and data protection across the organisation.
- Organisations will be less likely to breach the GDPR.
- Actions are less likely to be privacy intrusive and have a negative impact on individuals.
Who should be involved in a DPIA?
Data controllers are responsible for ensuring the DPIA is carried out correctly.
The DPIA should be conducted by people with appropriate expertise and knowledge of the project in question, normally the project team. If your organisation does not have staff with sufficient expertise and experience, you could consider bringing in external specialists to consult or to carry out the DPIA.
Under the GDPR, any organisation with a designated DPO (data protection officer) must seek the DPO’s advice. This advice and the decisions taken should be documented as a part of the DPIA process.
What is ‘privacy by design’?
DPIAs are an integral part of taking a privacy–by-design approach.
Privacy by design means that privacy issues are considered and embedded into a programme’s design from an early stage.
Examples of personal data processing where a DPIA is likely to be required
- A hospital processing its patients’ genetic and health data.
- Archiving pseudonymised sensitive data from research projects or clinical trials.
- An organisation using an intelligent video analysis system to single out cars and automatically recognise registration plates.
- A company systematically monitoring its employees’ activities, including their workstations and Internet activity.
- Gathering public social media data for generating profiles.
- An institution creating a national credit rating or fraud database.
The EU’s Article 29 Working Party (WP29), in its guidelines on DPIAs, sets out the criteria that organisations should consider when determining the risks posed by a processing operation. The more criteria that a processing activity meets, the more likely it is to present a high risk to the rights and freedoms of individuals, and therefore to require a DPIA. Read the WP29 guidance on DPIAs >>
Key elements of a successful DPIA
The GDPR does not specify which DPIA process must be followed, but instead allows organisations to introduce a framework that complements their existing working practices. The Data Protection Commission in Ireland has guidance on how and when to carry out a DPIA.
Find out more here >>
Key elements of a successful DPIA are:
- Identifying whether a DPIA is required;
- Defining the characteristics of the project to enable the risks to be assessed;
- Identifying data protection and related risks;
- Identifying data protection solutions to reduce or eliminate the risks;
- Signing off on the outcomes of the DPIA; and
- Integrating data protection solutions into the project.
When initiating a DPIA as part of your organisation’s GDPR compliance project, it is important to identify whether you have the right training, resources and expertise to fulfil the DPIA requirements. IT Governance Europe’s solutions can help you fill the gaps in your GDPR compliance with consultancy and toolkit solutions.
Our solutions to help you conduct a DPIA
Receive a complete set of documentation templates that are easy to use, customisable and ensure GDPR compliance, including a DPIA template and tool.
Speak to a GDPR advisor
Please contact our GDPR team for advice and guidance on our products and services.