A Data Protection Impact Assessment is a process for building and demonstrating compliance with the GDPR.
It’s a process that an organisation can use to systematically describe its data processing purpose and operation, assess whether its processing is likely to result in risk for the data subjects concerned, and determine measures for addressing these risks.
Undertaking a DPIA shows that an organisation has considered the rights and interests of its data subjects and is intent on ensuring the protection of its personal data.
On 13 October 2017 the Article 29 Working Party (WP29) released final guidelines on DPIAs, indicating how and when organisations should carry out a DPIA and the criteria that need to be adopted in the process.
The WP29 guidance indicated that since the role of the DPIA is to provide a risk-based analysis, a DPIA is only required if the data processing is likely to result in high risk. Where the risks cannot be mitigated using suitable safeguards, the organisation must consult with its supervisory authority prior to implementing the new processing. The organisation must consult with its data protection officer, where one has been designated.
Organisations that need to undertake a DPIA are those that:
- hold sensitive or highly personal data
- hold data concerning vulnerable data subjects
- process data on a large scale
- undertake systematic monitoring (of employees’ activities, for example)
- evaluate or score data for the purposes of profiling and predicting
- match or combine data sets
- automate decision making with legal or similar significant effects
- introduce new technological or organisational solutions
- process data where the data subjects are unable to exercise their rights over the outcome
The WP29 guidance made it clear that in order to manage the risks to the rights and freedoms of data subjects, the risks have to identified, analysed, estimated, evaluated, treated and reviewed regularly. “Controllers cannot escape their responsibility by covering risks under insurance policies,” a footnote advises.
In the same way that GDPR compliance isn’t a once-off but rather an on-going exercise, DPIAs are ongoing processes that continually need to be reviewed. Don’t be fooled into thinking 28 May 2018 is the finish line. It’s more like the starting line.
image credit: https://www.itgovernance.co.uk/