What is data protection impact assessment?
Data protection impact assessments (DPIAs) help organisations identify, assess and mitigate or minimise privacy risks with data processing activities. They’re particularly relevant when a new data processing process, system or technology is being introduced. A DPIA should be managed by the data controller, or data protection officer (DPO) if you have appointed one. Some organisations may consider appointing someone externally to conduct the project.
DPIAs contain a detailed description of the processing operations, an assessment of risks, and what controls need to be put in place to protect people’s information. DPIA’s must be carried out using new technologies or if there is a high risk. It’s also good practice to conduct them on any large scale data processing you carry out. A DPIA needs to contain a detailed description of the processing operations, an assessment of the necessity and proportionality of the processing in relation to the purpose, an assessment of risks to individuals, and what controls are put in place to mitigate any risks.
Read more: on-demand DPIA webinar
When is a GDPR Data Protection Impact Assessment Required?
In general, GDPR requires Data Protection Impact Assessments (DPIAs) to be carried out for any new high risk processing activities, and specifically in the following cases:
- If you use systematic and extensive profiling with significant effects
- If you process special category or criminal offence data on a large scale
- If you systematically monitor publicly accessible places on a large scale
The GDPR guidelines suggest that usually, only processing operations that involve two or more of these criteria will require a DPIA, but take into account that in some cases, a processing operation that involves even one of these criteria will actually also require one.
The process of carrying out a DPIA helps to make informed decisions about data protection risks and to communicate effectively with the individuals affected. Although risks can never be completely eliminated, the DPIA can help you identify and mitigate data protection risks early, to find solutions to those risks, and to assess whether a project is viable.
High risk data processing
Under GDPR, organisations must undertake a DPIA when processing risky or large scale data. High risk data processing includes systematic and extensive processing activities, large scale processing, processing of special categories (sensitive) data, including those related to criminal convictions, and systematic monitoring of public areas such as CCTV.
Continue reading