A data protection impact assessment (DPIA) is a risk assessment that measures the impact of data processing on the rights and freedoms of individuals. A DPIA allows your organisation to minimise potential personal data risks before starting a new project.
Conducting a DPIA before starting a potentially high-risk process is essential to remaining GDPR compliant.
When to conduct a DPIA
Organisations should complete a data protection impact assessment dpia before beginning a data processing project that may cause a high risk of impact on the rights and freedoms of individuals.
Examples of high-risk personal data processing activities are:
- An HR department that is using a new system to process payslips and employee records
- Use of biometric data (such as fingerprints) for access control
- Processing of any genetic data
- Processing data in a novel way through existing or new technologies (as is often the case in machine learning and AI)
- Before contracting SAAS cloud services
DPIA’s are also beneficial to organisations when conducted regularly, irrespective of the perceived risk to individuals. Regular DPIA assessments allow your organisation to assess its use of data, from the capturing to deletion and everything in-between. In doing so, you’re able to identify areas of weakness and mitigate these concerns.
DPIA Requirements
Online templates are available to help you complete a data protection impact assessment report. These templates are a good starting point and should be adapted to suit your organisation’s particular requirements.
A DPIA should include:
- Whose personal data do you plan to process e.g. customer, employee or patient data
- What kind of personal data you will use
- How do you plan to use the personal data
- Measures you will take to minimise and prevent risk to individuals
A DPIA should assess:
- The necessity of using personal data to meet your aim
- If the potential risk is worth the desired business outcome
- If you need to contact a supervisory authority, such as the Information Commissioner’s Office (ICO).
Once the DPIA is complete, the following is required:
- Critically assess if there is a high risk to individuals after risk mitigation. If so, contact a supervisory authority, such as the Information Commissioner’s Office (ICO).
- Integrate the outcomes of the DPIA into your project plan
- Continue to monitor the project against your DPIA to ensure privacy by design is maintained
- Publish your DPIA, redacting sensitive information, to maintain transparency and accountability.
Formiti and our team of data privacy experts are experts on global data regulations. We can help you with all your data compliance requirements, including risk assessments. Call us on +44 (0) 121 582 0192 or email us at [email protected] to book a free one-hour consultation.