What a DPIA is, when and how you should conduct a DPIA
The world of data protection and associated regulations such as GDPR can be difficult to navigate. How do you assess where the major compliance risks are for your organisation? What methods and processes should you utilise (and who should own them?).
In this article, we take a look at the Data Protection Impact Assessment (DPIA), a process critical to compliance when processing activities are likely to result in a high risk to individuals (read on for what constitutes high risk).
We cover what a DPIA is, when and how you should conduct a DPIA.
A DPIA is a process that an organisation must conduct when its processing activities are likely to result in a high risk to individuals (GDPR Articles 35 and 36).
Processing activities that are likely to result in high risk include:
A DPIA done properly should identify and minimise these data protection risks. A DPIA is also a very important function in ensuring data protection compliance.
To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals that a change to your systems, operational activities and processes may bring such as for example when you migrate personal data from an existing software platform to a new supplier’s software product.
Conducting a DPIA will also achieve effective compliance resulting in financial and reputational benefits as well as evidencing accountability for your processing activities under GDPR, it can also go a long way in building trust and confidence across individuals from prospects to customers.
A DPIA is a formal process that needs to be embedded into your organisational compliance processes by maintaining appropriate records of when a DPIA was conducted, the reasons for doing so and the risks identified and mitigated against.
You must conduct a DPIA before you begin any type of processing that is likely to result in a high risk.
In particular, the GDPR says you must conduct a DPIA if you plan to:
You should also think carefully about doing a DPIA for any other processing that is large-scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals.
It is good practice to conduct a DPIA for any major new project involving the use of personal data.
A DPIA should be managed by taking a staged process that involves:
GDPR Rep is on a mission to help every business achieve and maintain GPDR representation. If you are looking into how your organisation can fulfil its requirements why not schedule a no-commitment call with a GDPR representative expert today, or get a quote to understand how our value pricing makes compliance simple.