The new EU General Data Protection Regulation (GDPR) confirms that privacy must by default be designed into the processing of personal data. This ‘privacy by design’ concept is not new, and has for many years been recommended by the UK Information Commissioner’s Office (ICO), as outlined in its report Conducting privacy impact assessments code of practice.
What is new is the statement in Article 35 of the GDPR that data protection impact assessments (DPIAs) are mandatory for organisations with technologies and processes that present a high risk to the rights of the data subjects.
DPIAs are at the heart of building a privacy-by-design approach. They allow organisations to find and fix problems at the early stages of any project, reducing the associated costs and damage to reputation that might otherwise accompany a data breach. Such projects could include a new business acquisition, a new service, or even a new marketing campaign targeting a group of prospects. DPIAs also help companies to meet the growing privacy and data security expectations of customers, employees and other stakeholders.
Our view is that DPIAs (sometimes referred to as PIAs) should be used as default strategic tools for all UK organisations that process, store or transfer personal data. In addition to meeting the requirements of the GDPR, they are an essential component of an ISO 27001 risk-based approach designed to implement and maintain effective information security.
To help you get started immediately, we recommend that you attend our Data Protection Impact Assessment (DPIA) Workshop , a one-day classroom session designed to provide delegates with the practical knowledge to deliver effective DPIAs. It costs just £495 plus VAT, and the next session is in London on 16 May 2017.
If you are just beginning your GDPR journey, you may want to consider attending our Certified EU General Data Protection Regulation (GDPR) Foundation training course which runs in eight UK locations (classroom) or as Live Online sessions (wherever you are).