What is data protection impact assessment?

Data protection impact assessments (DPIAs) help organisations identify, assess and mitigate or minimise privacy risks with data processing activities. They’re particularly relevant when a new data processing process, system or technology is being introduced. A DPIA should be managed by the data controller, or data protection officer (DPO) if you have appointed one. Some organisations may consider appointing someone externally to conduct the project.

DPIAs contain a detailed description of the processing operations, an assessment of risks, and what controls need to be put in place to protect people’s information. DPIA’s must be carried out using new technologies or if there is a high risk. It’s also good practice to conduct them on any large scale data processing you carry out. A DPIA needs to contain a detailed description of the processing operations, an assessment of the necessity and proportionality of the processing in relation to the purpose, an assessment of risks to individuals, and what controls are put in place to mitigate any risks.

Read more: on-demand DPIA webinar

When is a GDPR Data Protection Impact Assessment Required?

In general, GDPR requires Data Protection Impact Assessments (DPIAs) to be carried out for any new high risk processing activities, and specifically in the following cases:

• If you use systematic and extensive profiling with significant effects
• If you process special category or criminal offence data on a large scale
• If you systematically monitor publicly accessible places on a large scale 

The GDPR guidelines suggest that usually, only processing operations that involve two or more of these criteria will require a DPIA, but take into account that in some cases, a processing operation that involves even one of these criteria will actually also require one.

The process of carrying out a DPIA helps to make informed decisions about data protection risks and to communicate effectively with the individuals affected. Although risks can never be completely eliminated, the DPIA can help you identify and mitigate data protection risks early, to find solutions to those risks, and to assess whether a project is viable.

High risk data processing

Under GDPR, organisations must undertake a DPIA when processing risky or large scale data. High risk data processing includes systematic and extensive processing activities, large scale processing, processing of special categories (sensitive) data, including those related to criminal convictions, and systematic monitoring of public areas such as CCTV.

Continue reading

With GDPR (General Data Protection Regulation) day approaching, the number of vacancies in roles as a Data Protection Officer (DPO) has reportedly increased by over 700% in the last two years. Data protection professionals are finding that their skills and knowledge are suddenly invaluable and in high demand compared to a few years ago. VinciWorks’ guide to being a DPO will give you a clearer idea of what is required from a DPO, helping you appoint the right person for the role. The guide will also help those being promoted to the role of DPO gain an understanding of what is required of them under GDPR.

Free download

Continue reading

Often used as a free marketing tool, and with some staff having thousands of personal followers on social media platforms such as Twitter, Facebook and LinkedIn, social media is becoming an important cog in many companies’ marketing campaigns. Here is some guidance on what GDPR requires of us when using social media for marketing purposes.

Read: The digital marketing guide to GDPR

GDPR and social media

In recent years social media has become a central platform for communication between businesses and customers or clients. Since social media tools all work with personal data, those using them for business purposes must take data protection regulations into account. But this shouldn’t deter you from using these tools: used correctly, social media can be an excellent form of communication and marketing. The important thing is to make sure you keep your social media platforms secure and that you handle all customers’ data appropriately.

What does GDPR mean for social media marketing?

When considering how to best manage social media marketing, it’s important to keep data protection rules and best practice in mind. It is unlawful to collect more data than you need, and you need to be able to justify any information you collect. But social media marketing can actually be better for marketing and for GDPR compliance than older methods of email lists and marketing, which are not as effective as they once were. Connecting with potential leads through social media, sharing relevant content and contact details can be much more effective and targeted than blunt force direct marketing, and when done correctly, potentially less problematic on a GDPR front.

Who does the legislation apply to?

GDPR does not apply to individuals using social media for their own purposes, but does apply to individuals acting as sole traders or organisations who use social media in the following ways:

• Posting personal data on a website
• Downloading and using personal data from a website
• Running a website which allows others to post comments or other content about people

Continue reading

How to make your digital marketing GDPR compliant:

Due to the requirements under GDPR for obtaining consent to collect and process data, one of the departments in your organisation most likely to be affected by the reguations are marketing professionals. 

Four years into GDPR, GDPR fines are bigger than ever before and always growing: there was a 113% increase in GDPR fines between July 2020 to July 2021, and penalties have grown as well, from €130.69 million in July 2020 to €293.96 million in July 20201. Many of the biggest fines were marketing related, including a €746m fine doled out to Amazon for compiling data on customers and a €225m fine to WhatsApp for failing to provide information in clear and plain language. 

Using information that is publicly available doesn’t mean you’re off the hook: agricultural conglomerate Monsanto were fined €4,000,000 for maintaining records of activists, since they were essentially tracking them in an ongoing way without informing them.

As a marketer who collects information, whether it’s information that’s publicly available or not, it’s more important than ever to make sure you’re doing so in a GDPR-compliant way. The guidance given in this blog will help your marketing team fully comply with GDPR.

Read: GDPR: 10 things to do now

Assessment: how ready are you for GDPR?

Marketing lists

In June 2017, JD Weatherspoons felt the best way for its digital marketing to become compliant with GDPR was to delete its entire marketing list. While this may be the favourable approach for the pub chain, GDPR certainly does not require businesses to delete their entire marketing list.

Organisations can provide customer details to third parties only if they made this clear when the information was being collected. Records of how consent was obtained must be clear if the list is being used for making marketing calls, texts, or emails.

Continue reading

How many days are there until the General Data Protection Regulation?

VinciWorks is counting down the days until GDPR comes into force, providing a host of resources such as online GDPR training, policy templates and helpful guides. We have also created a GDPR countdown to help you keep track of how long your business has to prepare.

Countdown to GDPR

The GDPR resource page

VinciWorks has created a GDPR resources page that includes all the tools and resources you will need to prepare for GDPR.

The GDPR resource page includes:

• Links to course demos from the GDPR training suite
• Two GDPR knowledge checks
• Free guides relating to GDPR
• GDPR data protection policy template
• GDPR ready privacy policy template
• Helpful tools and risk assessments