A Data Protection Impact Assessment (DPIA) provides a methodical and comprehensive way to analyze the processing of personal information and help to identify and mitigate data protection risks.
Under the GDPR businesses are legally required to carry out a DPIA if any type of processing is likely to result in a high risk to the data subject, as stated in Article 35 of the GDPR.
Failure to carry out a DPIA in such cases can potentially leave a information security policy for small business wide open to enforcement action, including a fine of up to €10 million, or 2% of global annual turnover, whichever is highest.
That said, DPIAs are not simply a compliance exercise…
A DPIA enables businesses to prioritize risks and handle those risks proportionately, in order to make advised decisions. It also serves to demonstrate that the business has implemented appropriate data privacy procedures and controls, which help to resolve problems at an early stage.
The Article 29 Working Party provide nine processing operations “likely to result in a high risk” . These can serve as useful guidance for determining when data-processing activities match the “high risk” level. This is the point when a company should seriously consider conducting a DPIA if it engages in any of the following processing activities:
Profiling, evaluating, or scoring data subjects (e.g., for predictive purposes).
Automated-decision making.
Systematic monitoring.
Processing sensitive data or data of a highly personal nature.
Large-scale data processing.
Matching or combining data sets.
Processing data concerning vulnerable data subjects request management.
Innovative uses or applications of new technological or organizational solutions to personal data.
A Data Protection Impact Assessment can can be used for an individual processing operation, or for a group of similar processing operations. In some situations it could be possible to rely on an existing DPIA, as long as it covers a similar processing operation with similar risks. A group of controllers can also do a joint DPIA for a group project or industry-wide initiative.
A Data Protection Impact Assessment brings value to any organization that is required to comply with the GDPR Policy Template. And while it is true that conducting a DPIA can be a lengthy and time-consuming exercise, a DPIA is like getting the “green light” for compliance with specific data processing
It can also act as a pre-analysis of the company’s data processing by the DPIA team members, while demonstrating good faith to the national regulator, as well as to the company’s valued customers.
NOTE: This article is provided for informational purposes only and does not constitute legal or professional advice. The Data Privacy Group recommends that businesses engage the services of an experience data privacy practitioner and/or data privacy attorney when preparing for compliance with any data protection policy template and privacy legislation.