Data Protection Impact Assessment cubes

What is data protection impact assessment?

Data protection impact assessments (DPIAs) help organisations identify, assess and mitigate or minimise privacy risks with data processing activities. They’re particularly relevant when a new data processing process, system or technology is being introduced. A DPIA should be managed by the data controller, or data protection officer (DPO) if you have appointed one. Some organisations may consider appointing someone externally to conduct the project.

DPIAs contain a detailed description of the processing operations, an assessment of risks, and what controls need to be put in place to protect people’s information. DPIA’s must be carried out using new technologies or if there is a high risk. It’s also good practice to conduct them on any large scale data processing you carry out. A DPIA needs to contain a detailed description of the processing operations, an assessment of the necessity and proportionality of the processing in relation to the purpose, an assessment of risks to individuals, and what controls are put in place to mitigate any risks.

Read more: on-demand DPIA webinar

When is a GDPR Data Protection Impact Assessment Required?

In general, GDPR requires Data Protection Impact Assessments (DPIAs) to be carried out for any new high risk processing activities, and specifically in the following cases:

  • If you use systematic and extensive profiling with significant effects
  • If you process special category or criminal offence data on a large scale
  • If you systematically monitor publicly accessible places on a large scale 

The GDPR guidelines suggest that usually, only processing operations that involve two or more of these criteria will require a DPIA, but take into account that in some cases, a processing operation that involves even one of these criteria will actually also require one.

The process of carrying out a DPIA helps to make informed decisions about data protection risks and to communicate effectively with the individuals affected. Although risks can never be completely eliminated, the DPIA can help you identify and mitigate data protection risks early, to find solutions to those risks, and to assess whether a project is viable.

High risk data processing

Under GDPR, organisations must undertake a DPIA when processing risky or large scale data. High risk data processing includes systematic and extensive processing activities, large scale processing, processing of special categories (sensitive) data, including those related to criminal convictions, and systematic monitoring of public areas such as CCTV.

Under GDPR, organisations must adopt two methods for protecting personal data, privacy by default and privacy by design.

Privacy by default

By default, all privacy settings should be set to their maximum level. The data collected must be limited for its purpose and kept secure with no manual requirement to change privacy settings from the user.

Privacy by design

Each new service or business process that makes use of personal data must take privacy and data protection into consideration during the design phase. There is a specific obligation to implement appropriate technical measures to integrate maximum privacy features into what you do.

Data Protection Impact Assessments with Omnitrack

How will your organisation keep track of the DPIA process? Omnitrack’s GDPR registers allow managers to be instantly notified of any data breaches or concerns, subject access requests, policy or procedure updates, and any compliance concerns or questions surrounding GDPR. This includes a DPIA register, allowing you to conduct your DPIA in a smooth and efficient way.

10 steps for getting GDPR compliant

  1. Form a team to conduct a DPIA
  2. Provide GDPR training for all staff so they understand changes to data protection regulation under GDPR, the need for a DPIA and what it consists of
  3. Conduct an audit of all the data your organisation processes
  4. Analyse how your organisation processes data, and how the data you currently hold was obtained
  5. Obtain consent from all data subjects from whom you collected data previous to GDPR and assess whether you need to gain their consent
  6. Establish in which ways you need to change the ways you process data
  7. Put into action the required changes identified in the DPIA
  8. Update your organisation’s data protection policy, privacy policy, and privacy notice
  9. Inform data subjects of the changes to how you process data
  10. Review and, if necessary, update the way your organisation processes data on a yearly basis