Why is a DPIA required by the GDPR?

The new EU General Data Protection Regulation (GDPR) confirms that privacy must be designed by default into the processing of personal data. This ‘privacy by design’ concept is not new, and has for many years been recommended by the UK Information Commissioner’s Office (ICO), as outlined in its report ‘Conducting privacy impact assessments code of practice’.

What is new is the statement in Article 35 of the GDPR that a data protection impact assessment (DPIA) is mandatory for organisations with technologies and processes that present a high risk to the rights and freedoms of the data subjects.

Privacy by design approach

DPIAs allow organisations to find and fix problems at the early stages of any project, reducing the associated costs and damage to reputation that might otherwise accompany a data breach. Such projects could include a new business acquisition, a new service, or even a new marketing campaign targeting a group of prospects. DPIAs also help organisations meet the growing privacy and data security expectations of customers, employees and other stakeholders.

Our view is that DPIAs should be used as default strategic tools for all UK organisations that process, store or transfer personal data. In addition to meeting the requirements of the GDPR, they are an essential component of ISO 27001’s risk-based approach to implementing and maintaining effective information security measures.

To help you get started, we recommend that you attend our Data Protection Impact Assessment (DPIA) Workshop , a one-day classroom session designed to provide attendees with the practical knowledge to deliver effective DPIAs. Places are available in London, Manchester and Birmingham in May.

Book your place now >>

If you’re just beginning your GDPR journey, you may want to consider attending our Certified EU General Data Protection Regulation (GDPR) Foundation training course, which runs in classrooms across the UK or live online.