What is a DPIA?
A DPIA is a way for you to systematically and comprehensively analyse your processing and help you identify and minimise data protection risks.
DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to individuals or to society at large, whether it is physical, material or non-material.
To assess the level of risk, a Data protection impact assessment must consider both the likelihood and the severity of any impact on individuals.
A DPIA does not have to indicate that all risks have been eradicated. But it should help you document them and assess whether or not any remaining risks are justified.
When do we need a DPIA?
You must do a DPIA before you begin any type of processing that is “likely to result in a high risk”. This means that although you have not yet assessed the actual level of risk, you need to screen for factors that point to the potential for a widespread or serious impact on individuals.
In particular, the DPJL says you must do a DPIA if you plan to:
use systematic and extensive profiling with significant effects;
process special category or criminal offence data on a large scale; or
systematically monitor publicly accessible places on a large scale.
What are the objectives of this methodology?
By following this process we will:
• Ensure compliance with applicable legal, regulatory, and policy requirements for privacy.
• Determine the risks, including to individuals, in terms of damage and distress caused when personal data is mishandled, and organisational risks, such as financial and reputational damage resulting from data breaches.
• Evaluate data protection policy template and alternative processes to mitigate potential privacy risks.
• Identify actions to be taken to reduce privacy and information security risks.
• Embed privacy by design and other appropriate information security measures into the specification, design and build of systems and procedures
Who completes the toolkit and conducts the DPIA? The person responsible for the project will be responsible for completing the toolkit and, where necessary, the DPIA. The Data Protection Officer or the Edinburgh Business School Compliance Manager, as appropriate, can provide advice and guidance to the person completing the toolkit, review the completed toolkit, endorse the recommended actions and gain assurance that these have been completed. We can also provide this document in Word format.
What does a list of processing operations contain?
The list put forward by the CNPD does not consist of a comprehensive list of processing operations outside of which a DPIA would not be necessary – it is limited to those operations for which a data controller will necessarily need to perform a DPIA. The requirement for a DPIA in relation to operations not featured on the list will have to be assessed in accordance with the criteria of article 35, GDPR Policy Template and the Guidelines on Data Protection Impact Assessment (WP248), issued by the Article 29 Working Party.
Actions we can help you with in the coming weeks:
help you to determine whether or not a DPIA should be undertaken;
assist you in a review of processing activities that you may currently be undertaking or are contemplating undertaking, and help verify whether any of those might qualify for a mandatory DPIA;
if areas of potential high risk are identified, recommend steps to mitigate that risk and consult with the CNPD.
An organization may use a DPIA, even if a DPIA is not required, to conduct an assessment to ensure the required data protection controls are in place and to demonstrate compliance with GDPR requirements. DPIAs are required of organizations acting as Data Controllers. Data Processors may also use DPIAs to assess whether they are processing data in a manner that supports the Controller in meeting its compliance obligations under the GDPR Training.
Before commencing a DPIA, it is essential to have a picture of what information your organization has, where that data is located, and how it flows through the organization. With that in mind, it is important to develop a data inventory and map the organization’s business process flows, systems and vendors.
An organization’s data inventory should include the name of the information security policy for small business process, the processing activities involved, what data elements are required for the processing activity and their sensitivity, what systems are involved and what third-parties are involved. The inventory can be used to understand the flow of the data—including its origin, the systems in which the data is processed and transfers to third-parties or organizational affiliates.