A data protection impact assessment (DPIA) is a process designed to help organizations determine how data processing systems, procedures or technologies affect individuals’ privacy and eliminate any risks that might violate compliance. Conducting data protection impact assessments is a key requirement under the European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018 and introduced a mandate for companies to perform DPIAs before carrying out types of data processing resulting in high risks to individuals’ rights and freedoms.
The GDPR requires a data protection impact assessment when a company begins a new project that is likely to pose a high risk to people’s personal information. Organizations that fail to conduct a DPIA could face penalties, including a fine up to 2 percent of the company’s annual global revenue or 10 million euros, whichever is greater.
Many legal experts consider conducting DPIAs to be one of the most important parts of the GDPR Policy Template , which is focused overall on giving individuals better control over their personal data and establishing uniform data protection rules across Europe. Although the GDPR applies specifically to the European Union, many companies that are based outside the EU but that do business globally are employing the GDPR’s terms, including requirements for DPIAs, worldwide.
A DPIA is a process to help identify and minimize the data protection risks of a project, system or application. There are a number of criteria that determine when a DPIA should be carried out within GitLab.
A DPIA must be done before beginning any type of processing which is “likely to result in a high risk”. This means that although the actual level of risk has not been assessed, screening for factors that point to the potential for a widespread or serious impact on individuals must take place.
The GDPR Training requires a DPIA if we plan to:
use systematic and extensive profiling with significant effects
process special category or criminal offence data on a large scale
or systematically monitor publicly accessible places on a large scale
A Privacy Review should be started in the early stages of a project, before any processing has started and before a system has been identified. It should run alongside the planning and development process. The Privacy Review will inform whether a full DPIA is necessary. A full DPIA will then identify controls to mitigate risks which should then be included in the requirements of a potential system. It may be useful at this point to have this reviewed by the DPO and/or IT Security for advice with both technical and non-technical requirements.
By starting a DPIA at the early stages risks and required controls to ensure legal compliance and security can be developed from the outset,ensuring that privacy is developed by design. If a DPIA is left until late in a project there may be additional controls or manual workarounds needed to ensure compliance which can have substantial costs associated. A DPIA can also help with data protection impact assessment, identifying information that may not be required and therefore minimising of cost of controls that may not be required.
For research projects, the DPIA should be completed by the Chief Investigator, Principal Investigator or Supervisor. For all other projects, the DPIA should be undertaken by the project owner/lead.
Under the GDPR cookie consent, non-compliance with DPIA requirements may result in fines imposed by the competent supervisory authority. Fines may occur in the following scenarios
Failure to carry out a DPIA when required by GDPR guidelines. the processing is subject to a DPIA (Article 35(1) and (3)-(4)), carrying out a DPIA in an incorrect way (Article 35(2) and (7) to (9)), or
Failing to consult the competent supervisory authority where required. (Article 36(3)(e)), can result in an administrative fine of up to 10M€, or in the case of an undertaking, up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.