A data protection impact assessment (DPIA) standard document to be used for carrying out DPIAs to evaluate the potential impact of high risk data processing activities as required under Article 35 of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR).
This note provides an overview of the key legal elements and considerations for performing data protection impact assessments (DPIAs) in accordance with the requirements of the retained EU law version of the General Data Protection Regulation (EU) 2016/679) (GDPR Policy Template UK) with specific reference to how DPIAs should be dealt with in the UK.
A Data Protection Impact Assessment (DPIA) helps to reduce data protection risk. This is necessary when a project involves processing of personal data.
A DPIA:
- suggests the most effective way to comply with our data protection obligations
- helps to meet expectations of privacy.
Completing a DPIA reduces costs and reputational damage through:
- considering the likelihood and severity of any impact and;
- identifying and fixing problems at an early stage.
Individual projects should be designed and delivered in accordance with the sponsor processes that are already subject to DPIA. The sponsor should have checks in place to satisfy itself that each study is compliant cookie consent, assuring itself that the study has been designed and will be delivered in accordance with the processes already subject to DPIA.
Where the study deviates from the established processes (for example, where it is intended that a project uses a new technology for the processing of personal data, or requires that safeguards set out in standing policies cannot be applied), the sponsor should consider whether a study specific DPIA is appropriate to address the level of risk, or whether updating existing DPIA(s) will be sufficient.
Certifying and proving that your organisation is compliant with the GDPR thereby avoiding the penalties and sanctions that are attached to non-compliance
By improving communications about data protection issues it inspires confidence in the public
Your users are not at risk of having their data protection policy template rights violated
Enables organisations to embed data protection by design
By optimising information flows within a project and eliminating unnecessary data collection and processing, it reduces operation costs
DPIAs are needed before any type of risky processing is started. To quote Article 35(1) “you must do a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of individuals.”
According to Article 35; some situations are outlined in which a DPIA is mandatory. Such as when processing a large scale of special categories of data subject request management, or any personal data relating to criminal convictions. Another situation is when processing is based on automated decision-making including profiling. The last case outlined in Article 35 is when there is systematic monitoring of a publicly accessible area on a large scale.
When is a DPIA not required?
A DPIA is generally not required in the following cases:
Where the processing is not “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)).
When the nature, scope, context and purposes of the processing are very similar to the processing for which DPIAs have been carried out. In such cases, the results of a DPIA for similar processing can be used (Article 35(1)).
Where a processing operation has a legal basis in EU Representative or Member State law and has stated that an initial DPIA does not have to be carried out, where the law regulates the specific processing operation and where a DPIA, according to the standards of the GDPR, has already been carried out as part of the establishment of that legal basis (Article 35(10)).
Where the processing is included on the optional list (established by the supervisory authority) of processing operations for which no DPIA is required (Article 35(5)).