GDPR: Why every organisation needs DPIAs (data protection impact assessments)

DPIAs (data protection impact assessments) are a type of risk assessment that identify the risks affecting the security of personal data, and work out their likely effects.

They are a useful accountability tool: the results of a DPIA will help you demonstrate that you have taken the appropriate technical and organisational measures required by the GDPR (General Data Protection Regulation).

It’s particularly important to carry one out when introducing new processes, systems or technologies for processing personal data.

Who should conduct a DPIA?

  • Data controllers are responsible for conducting DPIAs as required by Article 35 of the GDPR.
  • Data processors must assist the controller with its DPIAs, according to Article 28,3(f) of the GDPR.

When is a DPIA required? 

Article 35 of the GDPR states that a DPIA is required if processing is likely to result in a high risk to the rights and freedoms of data subjects, particularly in cases of:

  • Automated decision-making, including profiling, that could significantly affect data subjects;
  • Large-scale processing of special categories of data (relating to race or ethnicity, political opinions, health, sexuality, etc.), or personal data relating to criminal convictions and offences; and
  • Systematic large-scale monitoring of public areas.

The ICO (Information Commissioner’s Office) – the supervisory authority in the UK – clarifies that it requires a DPIA to be conducted for any process that:

  • Uses new technologies;
  • Relies on profiling or sensitive data to decide on access to services;
  • Profiles individuals on a large scale;
  • Processes biometric or genetic data;
  • Matches data or combines data sets from different sources;
  • Involves ‘invisible processing’;
  • Tracks data subjects’ location or behaviour;
  • Profiles children or targets them for marketing or online services; or
  • Involves data that might endanger data subjects’ physical health or safety in the event of a security breach.

What is high-risk processing?

It can be difficult to identify high-risk processing, but any process that meets the criteria set out in Article 35 of the GDPR or the guidance provided by the ICO and the WP29 (Article 29 Working Party) – now superseded by the European Data Protection Board – should be considered high risk.

There may be some cases where processing doesn’t meet the GDPR, ICO or WP29 criteria but still represents a high risk to data subjects. It’s always best to err on the side of caution and conduct a DPIA if in doubt.

Making the DPIA process easier

Conducting a DPIA can be complicated – especially as the GDPR itself does not specify a process to follow, so you might doubt that you are doing it in a compliant manner. This is where our DPIA Tool will help.

The DPIA Tool will walk you through the six steps you must complete as part of a GDPR-compliant DPIA.

  • Step 1 – Process description: Contains a questionnaire that prompts users for information about the process in question.
  • Step 2 – Screening questions: Contains screening questions that help users work out if they need to conduct a DPIA.
  • Step 3 – Consultation: Contains a questionnaire that prompts users for information about the parties they’ve consulted (such as data subjects or their representatives).
  • Step 4 – Principles questionnaire: Contains a questionnaire prompting users to provide information about the necessity and proportionality of processing – e.g. what measures they have in place to uphold data protection principles, data subject rights, etc.
  • Step 5 – Privacy risk assessment: Gives users the means to identify individual risks to the rights and freedoms of data subjects, including evaluating levels of risks and determining risk responses.
  • Step 6 – Review: Contains a brief questionnaire asking users whether the DPIA has been reviewed and whether the process is authorised to go ahead.

You don’t have to be an expert to complete a DPIA: the DPIA Tool will make sure that you answer the questions you need to. It even provides links to the relevant sections of the GDPR, so you can easily check why a question is being asked.

Find out how our DPIA Tool can help you comply with the GDPR: book a one-to-one demonstration today.

Request a free demo >>