If you're in any doubt about whether the processing of personal data you do is within the parameters of the General Data Protection Regulation (GDPR) then you should carry out a DPIA because the penalty for not doing so – when it’s appropriate to – is a €10-million fine, or 2% of annual global turnover, whichever is greater.
Data Protection Impact Assessments (DPIAs) help organisations determine whether the data processing they do, or plan to do, is likely to be of high risk to the rights of individuals.
The GDPR, unhelpfully, doesn’t provide a lot of guidance on what a high risk is, but it does give many examples of when an organisation needs to go to their supervisory authority for guidance.
By carrying out DPIAs controllers can determine the risks related to their new and ongoing processing activities and understand whether or not they need to consult their supervisory authority about them.
While a processor doesn’t have to consult with a supervisory authority about its activities, it should still work with the controllers it provides services to, to help complete a DPIA.
It’s useful when a DPIA is carried out early in the development of a project because its findings can then be incorporated into the design of the processing operation and data privacy will be at the heart of it rather than an afterthought. Data protection by design and default is in fact a crucial concept of the GDPR – by building data privacy into everyday processes, an organisation becomes accountable in the sense that it’s taking suitable measures to achieve compliancy.
The GDPR doesn’t set out a defined process for a DPIA, but at GDPR365 we’ve worked with career privacy and data protection professionals to create a DPIA workflow process for organisations to follow. If this process indicates a high risk to organisations, then GDPR365 will generate a report for them to take to their supervisory authority, who will then offer advice on how to proceed.
A framework like the one provided by GDPR365 makes it easier for an organisation to implement the processes necessary to become GDPR compliant.