Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) is a tool that is designed to help organisations identify, analyse and reduce data protection risks in relation to their processing activities. The GDPR Policy Template introduced the requirement to complete a DPIA for processing likely to result in a high risk to individuals’ interests. DPIAs also form an essential part of the accountability obligation under the GDPR.

Article 35 of the GDPR says:

“1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.”

“3. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:

(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

(b) processing on a large scale of special categories of data subject request management referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or

a systematic monitoring of a publicly accessible area on a large scale.”

A DPIA does not have to eliminate every risk posed by the processing, but it should help you to reduce the risk and establish if the level of risk is acceptable in relation to the anticipated benefit. By considering the data protection risks of the intended processing before it begins, it will also support compliance with the data protection by design and default obligation under GDPR Training.

DPIAs can also bring broader compliance benefits to the organisation, as they can be an effective way to assess and demonstrate your compliance with all data protection principles and obligations. For example, they can determine the type of technical and organisational measures you need to put in place in order to ensure your processing complies with the data protection principles and can reassure individuals that the organisation is protecting their interests and have reduced any negative impact on them as much as you can.

Should I do a DPIA?

If there is any concern about the harm that may be caused to people should you lose their personal data, it’s advisable to conduct a DPIA. Operating high-risk cookie consent processes without having conducted a Data Protection Impact Assessment could lead to a monetary penalty

Involving the ICO

You don’t need to involve the ICO with every DPIA you conduct, but there is a requirement to inform them if a completed DPIA has indicated that in the absence of security measures that can be applied, the situation is still considered a high-risk.