Data Protection Impact Assessments & the GDPR: The Lowdown

When it comes to making sure your business is complying with the General Data Protection Regulation now and in the future, you are going to need to understand what is, and when to complete a Data Protection Impact Assessment (DPIA). A DPIA may sound a bit intimidating, but don’t worry, they’re not! They are a great way to ensure all data processing you do is legal. DPIA’s protect your business by minimising risk and who wouldn’t want to do that? They will form a key part of the armoury for Data Protection Officers and Information Asset Owners going forward.

What is a Data Protection Impact Assessment?

A DPIA is not there to eradicate risk, but it is a tool to minimise risk and make you think twice about whether the data processing you are undertaking is necessary and legal.

Let’s take a look at what a typical DPIA should contain:

• A description of the data processing activities, its purpose and what the legitimate interests of the controller are

• A review of how necessary the data processing is

• A consideration of how the individual’s rights and freedoms may be impacted by the data processing

• An outline of the mitigations to the privacy risks identified - this could be security related or it might be a change to the process

Essentially your DPIA documentation should demonstrate how you are complying with the General Data Protection Regulation and meeting the needs and legitimate interests of those concerned.

It is also worth noting that in certain circumstances the Data Controller will need to undertake research to understand the view of the data subject in relation to the data processing. This could be done by researching data subjects directly or by talking to groups that represent them.

Who should undertake the DPIA?

The Data Protection Officer or Information Asset Owner will usually complete this type of document, but if it occurs that you must complete it, you must consult your Data Protection Officer before doing so. After all, they are the ones with all the data protection knowledge.

When should I do a DPIA?

To comply with the principle of privacy by design, any new development, product, process or service that falls within the scope of processing personal data, should have a DPIA undertaken.
But to be more specific the GDPR states that you must carry one out if:

• You are doing any systematic or extensive processing of personal data, that involves automated decision making such as profiling, which could be likely to have a legal or significant effect on a person. It is possible that some profiling for marketing might be considered to have significant effect, so it is important to undertake a DPIA on any new project

• You are undertaking any large-scale processing of any special categories of data, or information about criminal convictions or offences

• You are systematically monitoring a public area on a large scale

DPIA’s can be broken in to stages, with a lighter stage initially, to identify if there are likely to be risks and then a more detailed investigation if the possibility of risk is identified. The size and complexity of the project will also determine the scope and depth of a DPIA. In many instances, the Data Protection Officer will not be the one undertaking the initial lighter investigation. The Data Protection Officer could be consulted at a later stage or if their specialised knowledge is required.

Some good news though, it is likely that if you already carried out a risk assessment on the legal basis of your data processing, you will not need to carry out a DPIA.

Finally…

Once a DPIA has been undertaken, it’s important to continue to monitor the process to ensure it’s still compliant with what was set out in the DPIA. This would at least need to be done if there are any changes to codes of conduct, legislation or changes to the process.

For more information on the GDPR visit our GDPR resource library.