DPIA - Data Protection Impact Assessment

The DPIA is about putting privacy at the top of the agenda. ‘Privacy by Design’ is taken seriously within the bounds of GDPR it is about ensuring that privacy is at the centre of all future projects. It is also about meeting the individuals’ (your customers) expectations of privacy.

When we carry out a DPIA, it is a process of analytically considering the potential impact that any project or part of the project might have on the privacy of individuals.

A DPIA will allow you to identify potential privacy issues BEFORE they arise allowing you to consider ways that you can fix them, this could reduce costs and save any damage to your reputation.

A DPIA could be discussed within the realms of a cross functional team, which includes key stakeholders thus ensuring that all bases are covered.

Under GDPR a DPIA is mandatory for ALL organisations involved in high risk processing i.e. the processing of sensitive data, you must carry out a DPIA when:

  • Using new technologies
  • The processing is likely to result in a high risk to the rights and freedoms of individuals.
  • Processing that is likely to result in a high risk includes (but is not limited to):
  • Systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals.
  • Large scale processing of special categories of data or personal data relation to criminal convictions or offences. This includes processing large amounts of personal data at regional, national or supranational level; that affects a large number of individuals; and involves a high risk to rights and freedoms eg based on the sensitivity of the processing activity
  • Large scale, systematic monitoring of public areas (CCTV).

What information should the DPIA contain?

  • A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the controller.
  • An assessment of the necessity and proportionality of the processing in relation to the purpose.
  • An assessment of the risks to individuals.
  • The measures in place to address risk, including security and to demonstrate that you comply.

A DPIA can address more than one project.

Where a DPIA indicates that the risks identified in relation to the processing of the personal data cannot be fully alleviated data controllers will be required to consult the DPO before starting the project.

At organisational level you need to determine the future projects that will require a DPIA and put the necessary processes in place to accommodate it.

  • Who will be responsible to carry out the DPIA?
  • Who needs to be involved?
  • Will the process be run centrally or locally?

Good practice would be to always adopt a ‘privacy by design’ approach, think about the minimisation of data – ‘do you really need all the data that you collect?’

Start to think ‘privacy’ from the outset.