Conducting data protection impact assessments (DPIAs) – also known as privacy impact assessments (PIAs) is mandatory under GDPR. It’s considered the most effective way to help organisations comply with their data protection obligations come 25th May 2018, when GDPR comes into force.
What is a data protection impact assessment (DPIA)?
You must carry out a DPIA when using new technologies or data processing systems that are likely to result in a high risk to the rights and freedoms of individuals. A DPIA helps you work out how your organisation can best comply with GDPR in protecting personal data against a breach. It allows you to identify and fix problems at an early stage, before they become costly to your coffers – and reputation.
It should contain a description of the processing operations and purposes, an assessment of a) what the ICO calls “the necessity and proportionality of the processing in relation to the purpose” and b) the potential risks to individuals. Your DPIA should also cover the measures you have in place to address these risks and demonstrate GDPR compliance.
If you want to dig more deeply, here’s a link to the ICO’s 51-page PDF: “Conducting privacy impact assessments code of practice”.
How to conduct a DPIA
Your DPIA must address five key questions, and record the outcomes:
1. Have you identified the need for a DPIA?
Firstly, decide whether the inherent risk of the new technology or data processing operation requires you to undertake a DPIA.
2. Can you describe the information flow?
Your DPIA should include a description of how the information within the data processing operation is collected, stored, used and deleted.
3. Can you identify privacy and related risks?
Include the range of threats and vulnerabilities that contravene GDPR regarding the rights and freedoms of individuals whose data your hold or process.
4. Have you identified and evaluated privacy solutions?
Take the risks you’ve identified and set a potential solution against them.
5. Is your DPIA signed off?
Once you’ve addressed these questions and recorded their outcomes, your DPIA report should be signed off by whoever is responsible for those decisions. NB if you have identified a high risk, you need to report it to the ICO for consultation.
You’ll need to refer to your DPIA continually, to make sure it’s being followed and that your responses to the risks raised are successfully implemented.