Data Protection Impact Assessments (DPIAs) under the GDPR
What is a DPIA?
A data protection impact assessment (DPIA) is a process that helps organisations identify and minimise risks that result from data processing. DPIAs are usually undertaken when introducing new data processing processes, systems or technologies.
What is an EU GDPR data protection impact assessment (DPIA)?
Under the EU General Data Protection Regulation (GDPR), data controllers must carry out data protection impact assessments (DPIAs) to “evaluate, in particular, the origin, nature, particularity and severity” of the “risk to the rights and freedoms of natural persons” before processing personally identifiable information. The DPIA “should include the measures, safeguards and mechanisms envisaged for mitigating” the identified risks.
When should you conduct a DPIA?
You require a DPIA when data processing is likely to result in a high risk to data subjects.
The GDPR says you must conduct a DPIA if you plan to:
- Use systematic and extensive profiling with significant effects;
- Process special category or criminal offence data on a large scale; or
- Systematically monitor publicly accessible places on a large scale.
Types of processing where a DPIA is likely to be required:
- A hospital processing its patients’ genetic and health data on its information system.
- The archiving of pseudonymised sensitive data from research projects or clinical trials.
- An organisation using an intelligent video analysis system to single out cars and automatically recognise registration plates.
- An organisation systematically monitoring its employees’ activities, including their workstations and Internet activity.
- The gathering of public social media data for generating profiles.
- An institution creating a national-level credit rating or fraud database.
The WP29 (Article 29 Working Party), which has now been replaced by the EDPB (European Data Protection Board), was responsible for issuing guidelines and opinions on aspects of the GDPR. Its guidelines on DPIAs set out the criteria that organisations should consider when determining the risks posed by a processing operation. The more criteria are met, the more likely processing is to present a high risk to the rights and freedoms of individuals, and therefore to require a DPIA.
Key elements of a successful DPIA
A good DPIA helps you demonstrate that you have considered the risks related to your intended processing and met your broader compliance obligations.
The GDPR does not specify a DPIA process to follow. Instead, it allows organisations to use a framework that complements their existing processes.
Whichever methodology you use, according to the ICO your DPIA must:
- “describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.”
Who should be involved in conducting a DPIA?
Data controllers are responsible for ensuring the DPIA is carried out. The DPIA should be conducted by those with appropriate expertise and knowledge of the project in question – normally the project team.
Under the GDPR, it is necessary for any organisation with a designated DPO (data protection officer) to seek their advice. This advice and the decisions taken should be documented as a part of the DPIA process.
How IT Governance can help you comply with the EU GDPR
IT Governance, a leading global provider of IT governance, risk management and compliance solutions, is at the forefront of helping organisations address the challenges of EU GDPR compliance.