Data Protection Impact Assessments (DPIA) are addressed in the GDRP. Art 35 requires that organizations shall carry out a DPIA when a processing activity is likely to result in a high risk to the rights and freedoms of natural persons. Thus, Data Protection Impact Assessment (DPIA) is a mandatory pre-requisite in a variety of cases where personal data is processed. Examples of such processing operations are systematic monitoring of individuals (like surveillance cameras in many public areas) and processing of special categories of personal data. From the Office of Data Protection Ombudsman’s webpages you can read more, when DPIA is required.
Data Protection Impact Assessment (DPIA) can be defined as a risk management tool: it helps an organisation to identify, assess and minimise any “high” privacy risks in new systems, technologies or processes. Performing a DPIA is an effective tool to operationalise Privacy by Design. This means that carrying out a DPIA helps to embed privacy into product and service development. Also, DPIA is useful when assessing the privacy impacts of the continuous usage of existent systems, technologies or processes.
It is good to keep in mind that DPIA continuous process and it aims to identify risks and solutions, rather than a one-time produced report that demonstrates compliance. Therefore, all the relevant stakeholders should be involved in the DPIA process. DPIA helps to assist relevant stakeholders to make an informed decision regarding business operations involving personal data processing.
In addition to demonstrate compliance and proof that your organization has met the mandatory requirements of GDPR’s, there are also other reasons to perform Data Protection Impact Assessment. First, a well-organized DPIA creates communication amongst stakeholders. Second, DPIA can protect the reputation of the organisation by avoiding too intrusive products or services being published. Third, DPIA is a helpful tool in collaborating with internal and even external parties: DPIA is an internal check that must be passed and later this can be used in communication with authorities.
The starting point in a DPIA process is the Records of Processing activities. This documentation would serve as a basis for the initial “threshold” assessment. After this primary risk review, if it appears that the processing activity is likely to result in high risks for the individuals’ rights, the organization should conduct a Data Protection Impact Assessment (DPIA). Also, there can be follow-up actions, such as prior consultation with the supervisory authority, in cases where the chosen controls are not able to sufficiently mitigate the risks.
Picture 1. Process Overview
The GDPR provides flexibility to determine the precise structure and form of a Data Protection Impact Assessment (DPIA) report. However, a genuine DPIA report should include, at a minimum:
There are various risks assessment methodologies and frameworks that can help your organization in mapping the risks. The methodology used should be appropriate for the organization’s needs and it should be built on the following key items:
Here are four practical tips for carrying out DPIA in your organisation:
If you want to discuss more Data Protection Impact Assessments (DPIA), please book time for the discussion here.
Please, take a look also at Privaon’s Data Protection Impact Assessment (DPIA) as a Service.