A DPIA is a way for you to systematically and comprehensively analyse your processing and help you identify and minimise data protection risks.
Data Protection Impact Assessment are a legal requirement for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals.
You must do a DPIA before you begin any type of processing which is “likely to result in a high risk”. This means that although you have not yet assessed the actual level of risk you need to screen for factors that point to the potential for a widespread or serious impact on individuals.
In particular, the GDPR Policy Template says you must do a DPIA if you plan to:
use systematic and extensive profiling with significant effects;
process special category or criminal offence data on a large scale; or
systematically monitor publicly accessible places on a large scale.
use new technologies;
use profiling or special category data to decide on access to services;
profile individuals on a large scale;
process biometric data;
process genetic data;
A DPIA is one of the processes identified to demonstrate compliance with GDPR data protection Policy Template dispositions. It is different from a Privacy Impact Assessment (PIA), which helps you demonstrate data privacy compliance to all stakeholders involved in the privacy process, and from a Security Risk Assessment, which is a tool designed to verify and implement the correct data security measures through an accurate checklist.
GDPR applies to all companies offering services to EU citizens. The company doesn’t need to have a legal entity in the EU Representatives, the only valid criteria are whether they process or not EU citizens data.
Who conducts the DPIA?
The Data Protection Officer has overall responsibility for DPIAs across the organisation. However, much of the DPIA process can be completed by the project team in consultation with the Records & Information Compliance Manager, using the DPIA template documents (see below for details).
What happens after a DPIA?
On completion of a full-scale DPIA, the project team and the DPO should have a set of completed documentation.
The results of the DPIA should be fed back into the project management process (see steps 5 & 6 above) to be considered at project closure, post-project review and lessons learned. If the project aims evolve throughout the process, the project team should review step 1, to ensure the DPIA is still required or fit for purpose.
Data Protection Impact Assessment (DPIA) is a way of ensuring and controlling compliance. Some sources call it a PIA (Privacy Impact Assessment), though it means much the same thing. It is used to assess the necessity of data processing, as well as to estimate the risks and freedoms of individuals (data subjects request management ) whose data is being processed. A well-made DPIA is a good instrument of accountability, as it demonstrates precisely which measures are being taken and to what extent.
It pays to perform good and comprehensive DPIAs since they are an essential tool of proving compliance with the GDPR, but it also helps your company establish data protection measures that will ensure customer satisfaction and data security.