A Data Protection Impact Assessments (DPIA) is a tool to determine in advance the privacy risks involved in data processing. Article 35 and Article 36 impose the obligation to conduct a DPIA and to have prior consultation in certain cases.
If there is a chance that a new type of processing (especially when using new technologies) may cause a high risk to the rights and freedoms of natural persons, the data controller needs to carry out a DPIA. This is especially the case with respect to:
Automated decisions, including profiling;
Special categories of data (Article 9) and data relating criminal convictions and offences (Article 10);
Systematic monitoring of public spaces on a large scale.
Organisations don’t have to carry out DPIAs for all processing operations separately, one DPIA can address a set of similar processing operations that have a similar high risk. When carrying out a DPIA, the controller has to seek advice from the data protection officer (if there is one) and views from data subjects request management or their representatives (if appropriate).
The DPIA should contain at least:
A systematic description of the processing operations, purposes and the legitimate interest;
An evaluation of the necessity and proportionality of the processing operations in relation to the purposes;
An evaluation of the risks to the rights and freedoms of data subjects;
Possible measures to address risks and to demonstrate compliance.
A controller is exempted from carrying out a DPIA if:
processing is necessary for compliance cookie consent with a legal obligation to which the controller is subject;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
‘Privacy by design’ is an approach to projects that promotes privacy and data protection compliance from the start. The ICO views privacy by design as an essential tool in minimising privacy risks and building trust. Designing projects, processes, products or systems with privacy in mind at the outset can lead to benefits which include:
Potential problems are identified at an early stage, when addressing them will often be simpler and less costly.
Increased awareness of privacy and data protection policy template across an organisation.
Organisations are more likely to meet their legal obligations and less likely to breach the DPA.
Actions are less likely to be privacy intrusive and have a negative impact on individuals.
This is where data protection impact assessments come in.
Data protection impact assessments are a tool that you can use to identify and reduce the privacy risks of your projects and systems of working. A DPIA can reduce the risks of harm to individuals arising from the misuse of their personal information. It can also help you to design more efficient and effective processes for processing personal data.
DPIAs are, therefore, useful tools to help organisations consider and address the privacy risks inherent in processing the data they hold. They are a risk management tool to be used when considering how to comply with the data protection principles. They are also about meeting patient and staff expectations regarding how you keep their personal data safe. The GDPR Policy Template requires that you carry out a DPIA before you implement a new system or process for processing data: for example, you want to update your telephone system with call recording.
However, assessments should also be part of ongoing processes in your organisation and can be carried out when planning any changes to an existing system.
Conducting a DPIA doesn’t have to be complex or time consuming and the amount of time and effort that you put into it should be proportionate to the privacy risks that might arise.