A data protection impact assessment (DPIA) is a process to help you identify, assess and minimise the data protection risks of a project. A DPIA should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage.
You must carry out a DPIA for processing that is likely to result in a high risk to individuals. In particular, the UK GDPR Policy Template says three categories of processing will always require a DPIA:
systematic and extensive profiling with significant effects
large scale use of special category or criminal offence data
systematic monitoring of publicly accessible places on a large scale
The ICO maintains a list of processing operations that require a DPIA. These include:
use innovative technologies (including artificial intelligence)
use of profiling or special category data to decide on access to services
profiling individuals on a large scale
processing biometric data
processing genetic data, unless by a health professional providing health care directly to the data subject request management.
matching data or combining datasets from different sources
collecting personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’)
tracking individuals’ location or behaviour, including but not limited to the online environment
profiling children or targeting marketing or online services at them
processing data that might endanger the individual’s physical health or safety in case of data breach
Typically, a DPIA will involve the following key steps:
identify the need for a DPIA
describe the processing
consider consultation
evaluate the necessity and proportionality
identify data protection Policy Template and related risks
identify measures to reduce or eliminate the risks
sign off and record the outcomes of the DPIA
integrate data protection solutions into the project
keep under review
You must seek the advice of your data protection officer (if you have one), and consult with individuals and other stakeholders throughout this process.
You should carry out a DPIA as early as possible within any new project or information security policy for small business. This will allow you to incorporate its findings and recommendations into the design of the data processing.