Thanks to GDPR, DPIAs matter more than ever. Here’s why – and tips on how to do them

A data protection impact assessment (DPIA) is a process to help identify and minimise the data protection risks of a project. They always mattered but the General Data Protection Regulation (GDPR) made them matter much, much more.

As most Data Protection Officers (DPOs) and data processors are aware by now, GDPR added significant compliance burdens. Under GDPR, data breaches need to be reported to the authorities within 72 hours and each new data processing activity needs to be documented. GDPR also introduced a new obligation to do a DPIA before carrying out processing likely to result in high risk to individuals’ interests. If your DPIA identifies a high risk which you cannot mitigate, you must consult the Information Commissioner’s Office (ICO). The regulator can recommend changes to reduce the risk, give a formal warning not to carry out the processing or even ban the processing altogether. 

It’s a key element of the regulation’s focus on accountability and data protection by design, and a more risk-based approach to compliance. And it’s no joke. As we’ve seen, penalties for breaching GDPR can reach into the tens of millions of Euros.

What exactly does a DPIA do?

A DPIA analyses the proposed processing and identifies ways to minimise data protection risks. It involves:

  • describing the nature, scope, context and purposes of the processing
  • assessing the necessity, proportionality and compliance measures
  • identifying and assessing risks to individuals
  • identifying any additional measures to mitigate those risks

In assessing the level of risk, DPIAs should consider both the likelihood and severity of any impact on individuals. Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.

How to conduct a DPIA

The ICO recommends 7 steps for conducting a DPIA. Don’t forget to document everything you are doing along the way.

Step 1: Identify the need for a DPIA

  • Summarise why you identified the need for a DPIA
  • The DPIA should be driven by people with appropriate expertise and knowledge of the project in question, normally the project team

Step 2: How should you describe the data processing?

  • How will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone?  
  • What is the nature of the data? How much data will you be collecting and using?
  • What is the nature of your relationship with the individuals? 
  • What do you want to achieve?

Step 3: Consultation

  • Describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Whom else do you need to involve within your organisation? Do you need to ask your external processors to assist? Do you plan to consult information security experts, or any other experts?

Step 4: Necessity and proportionality 

  • Determine that your activities are GDPR compliant. What is your lawful basis for processing? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome?

Step 5: Identify and assess risks

  • Describe the source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary.

Step 6: Identify measures to reduce risk

  • Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk
  • Measure the effect of your mitigation on the risk
  • Are you comfortable with the risk level?
  • If your residual risk remains high, you need to consult the ICO

Step 7: Sign off and record outcomes

  • Under GDPR it is necessary for any organisation with a designated data protection officer (DPO) to seek their advice in a DPIA. This advice and the decisions taken should be documented as a part of the DPIA process.
  • Don’t just do a DPIA as a tickbox exercise, it should influence your ongoing process. You might find that after doing a DPIA you want to change some of the processes you have in place.

Once you’ve finished your DPIA, notify the supervisory authority if you have identified a high risk and you cannot take any more measures to reduce this risk. .

There are some business benefits of doing a DPIA:

  • Understanding major risks at the outset
  • Preventing costly adjustments and redesign 
  • Improving quality of data through minimisation and accuracy
  • Improving decision making regarding data protection
  • Raising privacy awareness in the organisation
  • Strengthening consumer confidence in the way data is protected

Get our one-page guide here.