A Data Protection Impact Assessment (DPIA) helps us to analyse in detail the processing helping to identify and minimise data protection risks. These are not only the compliance risks but also broader risks to an individual’s rights and freedoms. Following a DPIA a risk may not be eliminated completely but it will help mitigate or reduce the risk and justify any remaining risk.
Data protection impact assessment should consider the potential for harm which can be physical, material and non-material. When evaluating the risk both the likelihood and the severity of any impact need to be taken into consideration.
A DPIA may cover more than one operation where they are similar and a DPIA may take several months of to properly conduct with some projects. It should not be viewed as a single point in time exercise but one that needs to be regularly reviewed.
A group of Data Controllers can also conduct joint DPIAs as with some research which involves several Universities.
In short, before you begin processing that is ‘likely to result in a high risk’. You will not know the risk at the outset but certain criteria will indicate that there is a potential for a serious impact on individuals.
Under GDPR Policy Template we must do a DPIA under the following circumstances where we plan to:
use systematic and extensive profiling with significant effects;
process special category or criminal offence data on a large scale; or
systematically monitor publicly accessible places on a large scale.
The ICO also requires us to do a DPIA if we plan to:
use innovative technology (in combination with any of the criteria from the European guidelines);
use profiling or special category data to decide on access to services;
profile individuals on a large scale;
process biometric data (in combination with any of the criteria from the European guidelines);
process genetic data (in combination with any of the criteria from the EU Representative guidelines);
match data or combine datasets from different sources;
collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
track individuals’ location or behaviour;
profile children or target marketing or online services at them; or
process data that might endanger the individual’s physical health or safety in the event of a security breach.
DPIAs should be considered at the very start of a Data subject request management project during the planning and development phase and before processing commences. This would usually be by the individual leading the project or someone who has overall responsibility for it. Information Assurance Services (IAS) will assist in completing a DPIA and should be contacted at an early stage.
A DPIA involves a number of stages. Initially a screening questionnaire is completed through the OneTrust software to determine is a full DPIA is required.
If a DPIA is required, then a full questionnaire will need to be completed in OneTrust. This will be used in conjunction with other evaluations e.g. ITS Cloud evaluation. In the case of research using patient data, other governance documentation will also need to be considered.
The principles are the foundation on which data protection law is built. They are set out at the start of the legislation, and inform everything that follows. Complying with the principles is fundamental for good data protection Policy Template practice.
Importantly, Article 83(5)(a) states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines. These can be up to 20 million euros or 4% of total worldwide annual turnover, whichever is higher.