A DPIA is a type of risk assessment. It helps you identify and minimise risks relating to personal data processing activities. DPIAs are also sometimes known as PIAs (privacy impact assessments).
The EU GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018 require you to carry out a DPIA before certain types of processing. This ensures that you can mitigate data protection risks.
For instance, if processing personal information is likely to result in a high risk to data subjects’ rights and freedoms, you should carry out a DPIA.
You should also conduct one when introducing new data processing processes, systems or technologies.
Looking for comprehensive guidance and practical advice on complying with the GDPR? Read our bestselling Implementation and Compliance Guide.
As more information has transitioned from paper to digital, data privacy regulations to protect that data have become necessary. One of the most well-known of these is the General Data Protection Regulation (GDPR) which covers any data collected from citizens of the European Union (EU Representatives).
If an organization is subject to GDPR, no matter what country it’s in, it needs to become familiar with this data privacy regulation. This includes the data protection impact assessment GDPR requires.
A data protection impact assessment is a structured evaluation of a service, process, project, or organizational change that requires the collection of personal data. This data impact analysis is done to mitigate risk associated with personal data collection, transmission, and storage.
The EU’s GDPR requires that a data protection impact analysis be performed when any activity, especially one dealing with new technology, is likely to involve a high risk “to the rights and freedoms of individuals.”
In layman’s terms, this means if you are collecting sensitive personal data and there is any risk of exposure, you are required to assess and evaluate that risk and your mitigation strategies using a data protection Policy Template template.
As mandated by Art. 35 GDPR(2018): “Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
The list of processing activities that require a DPIA includes (but isn’t restricted to) the systematic and extensive profiling with significant effect, the processing on a large scale of sensitive data or the large-scale systematic monitoring of a publicly accessible area. Quite impractically, the template of a DPIA is far from set in stone, and there’s only a minimum set of cookie contents: a systematic description of the processing operation; an assessment of the necessity and proportionality of the processing operations in relation to the purposes; an assessment of the risks to the rights and freedoms of data subjects; and the measures envisaged to address the risks. Even if the risk assessment part could entail some kind of scoring with regard to the level of a given risk, the current DPIA is predominantly a qualitative assessment with potentially arbitrary outcomes!
When is a DPIA required?
Under the GDPR, a DPIA is mandatory for certain types of processing, or any other processing that is likely to result in a high risk to individuals’ interests. The ICO has set out criteria here.
Even where the risk to individuals is not judged to be high, DPIAs should be considered for any new projects, and policy or service changes, involving use of personal data. Some examples of when a DPIA might be appropriate include: migration of personal data from one system to another; using a new system or application, or an existing one in a different way to the past; adopting new technology that may be untried.
They should be considered at an early stage, where there is the greatest scope for addressing risks and influencing project design and implementation, such as when the information security policy for small business case is first drafted or research study being
Who conducts the DPIA?
The Data Protection Officer has overall responsibility for DPIAs across the organisation. However, much of the DPIA process can be completed by the project team in consultation with the Records & Information Compliance Manager, using the DPIA template documents (see below for details).
Ideally, a member of the project or research team should be identified as having responsibility for overseeing the DPIA. The Records & Information Compliance Manager will work with the team to provide advice and guidance and ensure the necessary documentation is completed. The DPO will be consulted and sign-off.
What do the project team need to know about data protection?
Although data protection legislation underpins the DPIA, it is not necessary for project teams to have in-depth knowledge of the current data protection law. However, it should be noted that GDPR training is important and encouraged for all Queen Mary staff.