Data Protection Impact Assessment

Data Protection Impact Assessments (DPIAs) are a requirement of data protection legislation but are seen as an intensive and onerous process. Challenges exist around inconsistency of format across councils, human resource, a lack of understanding of the process on the part of the staff who complete them, document control and duplication of data and effort.

There is a need for a more ergonomic and user-friendly DPIA process that all staff feel comfortable with. This must provide crucial technical support, helping to remove barriers to the creation of compliant DPIA.

The Case for DPIA Automation

It is a requirement to complete the DPIA process in line with the GDPR. If you wish to avoid sanctions and administrative fines to protect your reputation within the industry, ensuring GDPR Training is stringently enforced.

The challenges we often see includes tremendous efforts for executing DPIA’s as a result of a scattered approach, leading to a time-consuming process, executed in a combination of for example Word Documents and SharePoint workflows.

This ‘document-heavy’ approach is a surprisingly common tactic amongst many organisations but can quickly grow unwieldy into a large amount of DPIA’s with lack of oversight and therefore being hard to follow-up.

As a result of this approach, the following issues are repeatedly observed:

· User Frustration: The information security policy for small business community sees the DPIA process as an inconvenience. Having to complete complex and time-consuming forms on top of their ‘day-job’ only make matters worse.

· Scattered Approach: Because the approach is loosely held together with Word documents, it soon becomes impossible to manage across the many departments involved.

· Poor Reporting: With unstructured data that is ‘locked away’ in Word documents and SharePoint folders, any reports required by senior managers/regulators rely on manually intensive data subject request management collection.

A Data Protection Impact Assessment (often referred to as a DPIA) is a process or task designed to identify what data protection issues may arise from certain ‘high risk’ projects we are undertaking.

A ‘high risk’ project is one where the processing of your personal data is likely to result in a high risk to your rights and freedoms.

The DPIA will help us manage any risk by allowing us to identify the risk, and to implement solutions to those risks project at an early stage.

Who should be consulted when conducting a DPIA?

Ultimately, the controller is responsible for conducting the DPIA, regardless of whether the controller or another entity carries out the DPIA. Although the controller is ultimately responsible for conducting the DPIA, it will be obliged in certain circumstances, or in other cases where it considers it useful, to consult with various parties for the purposes of conducting a DPIA. Those parties may include the:

• Data Protection Officer (DPO).
• Processors. Where the processing operation is performed wholly or partly by a data processor, the processor must assist the controller in conducting the DPIA and must provide any necessary information.
• Data subjects. The Regulation specifies that “where appropriate” the controller must seek the views of data subjects or their representatives. However, there is protection for an organisation’s intellectual property and business interests, as this obligation is without prejudice to the Data protection Policy Template of commercial or public interests or the security of processing operations. We could use a study, a formal question to the staff representatives or trade/labour unions or a survey sent to future customers as possible consultation methods. The A29WP also emphasises the importance of documenting these consultation processes. Where a data controller’s final decision differs from the views of the data subjects, we should document the reasons in support of its decision. Similarly, where a data controller decides that it is not appropriate to seek the views of data subjects, we should record the reasoning for this decision.