This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Data Protection Impact Assessment – DPIA
What's The Purpose of a Data Protection Impact Assessment (DPIA) ?
If you store personal data and therefore fall under the requirements of the GDPR, then one of the obligations of an organisation is to determine whether they require undertaking a Data Protection Impact Assessment (DPIA). The requirement to carry out a DPIA applies to existing processing operations likely to result in a high risk to the rights and freedoms of natural persons and for which there has been a change of the risks, taking into account the nature, scope, context and purposes of the processing.
Essentially a DPIA is a risk assessment of the proposed processing of personal data by an organisation and is designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them.
DPIAs are important tools for accountability, as they help organisations not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been undertaken to ensure compliance with the regulation. In other words, a DPIA is a process for building and demonstrating compliance.
Under the GDPR, non-compliance with DPIA requirements can lead to fines imposed by the ICO. Failure to carry out a DPIA when the processing is subject to a DPIA and carrying out a DPIA in an incorrect way and or failing to consult the ICO where required, can result in an administrative fine of up to 10M€, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Whats Involved in The DPIA?
Following enforcement of the GDPR in May 2018, DPIAs are mandatory each time an organisation plans or proposes to introduce a new technology, project, activity or process that is likely to result in a “high risk” to the data protection rights of individuals. Furthermore the ICO has promoted the use of DPIAs as an integral part of taking a privacy-by- design approach. This will also apply when an organisation is planning revisions to existing technology, projects, activities or processes and to operations, which include employee personal data or other forms of personal data.
DPIA’s vary greatly in complexity, dependent mainly on the size of your organisation and the extent, location, visibility and ease of access to the personal data you store. The regulation sets out the following minimum required features:
- A description of the envisaged processing operations and the purposes of the processing – for example, explaining what personal data will be used, who will it be obtained from or disclosed to, who will have access to it;
- An assessment of the necessity and proportionality of the data processing;
- An assessment of the risks to the rights of the individuals affected (for example, financial loss, distress or the risk that inadequate disclosure controls could increase the likelihood of personal data being shared inappropriately); and
- The measures envisaged to address the risks and demonstrate compliance with the GDPR. (Some risks may be able to be eliminated altogether or reduced, however most activities will have some impact on privacy and will require an organisation to accept some level of risk.)