What is a DPIA?
A DPIA (data protection impact assessment) is a process that helps organisations identify and minimise risks that result from data processing. DPIAs are usually undertaken when introducing new data processing processes, systems or technologies.
Why are DPIAs important?
DPIAs are a legal requirement under the GDPR (General Data Protection Regulation) for data processing that is likely to be ‘high risk’. Failure to carry out a DPIA when required may leave you open to enforcement action. This can include a fine up to 2% of your organisation’s annual global turnover or €10 million – whichever is greater.
Regular DPIAs supports the GDPR’s accountability principle, helping organisations demonstrate compliance. Conducting a DPIA can also help increase awareness of privacy and data protection issues within an organisation.
Read more about the fines and penalties under the GDPR >>
When should you conduct a DPIA?
You require a DPIA when data processing is likely to result in a high risk to data subjects.
The GDPR says you must conduct a DPIA if you plan to:
- Use systematic and extensive profiling with significant effects;
- Process special category or criminal offence data on a large scale; or
- Systematically monitor publicly accessible places on a large scale.
The ICO (Information Commissioner’s Office) also requires you to conduct a DPIA if you plan to:
- Use innovative technology (in combination with any of the criteria from the European guidelines);
- Use profiling or special category data to decide on access to services;
- Profile individuals on a large scale;
- Process biometric data (in combination with any of the criteria from the European guidelines);
- Process genetic data (in combination with any of the criteria from the European guidelines);
- Match data or combine datasets from different sources;
- Collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
- Track individuals’ location or behaviour;
- Profile children or target marketing or online services at them; or
- Process data that might endanger the individual’s physical health or safety in the event of a security breach.
Types of processing where a DPIA is likely to be required:
- A hospital processing its patients’ genetic and health data on its information system.
- The archiving of pseudonymised sensitive data from research projects or clinical trials.
- An organisation using an intelligent video analysis system to single out cars and automatically recognise registration plates.
- An organisation systematically monitoring its employees’ activities, including their workstations and Internet activity.
- The gathering of public social media data for generating profiles.
- An institution creating a national-level credit rating or fraud database.
The WP29 (Article 29 Working Party), which has now been replaced by the EDPB (European Data Protection Board), was responsible for issuing guidelines and opinions on aspects of the GDPR. Its guidelines on DPIAs set out the criteria that organisations should consider when determining the risks posed by a processing operation. The more criteria are met, the more likely processing is to present a high risk to the rights and freedoms of individuals, and therefore to require a DPIA.
Read the WP29 guidance on DPIAs >>
The key elements of a successful DPIA
A good DPIA helps you demonstrate that you have considered the risks related to your intended processing and met your broader compliance obligations.
The GDPR does not specify a DPIA process to follow. Instead, it allows organisations to use a framework that complements their existing processes.
Whichever methodology you use, according to the ICO your DPIA must:
- “describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.”
DPIAs and privacy by design
A DPIA should be conducted as early as possible in the project lifecycle, so that its findings and recommendations can be incorporated into the design of the processing operation.
Known as privacy by design, the embedding of data privacy features in the design of projects can have the following benefits:
- Potential problems are identified at an early stage.
- Addressing problems early will often be easier and cheaper.
- Increased awareness of privacy and data protection across the organisation.
- Organisations will be less likely to breach the GDPR.
- Actions are less likely to be privacy intrusive and have a negative impact on individuals.
Who should be involved in conducting a DPIA?
Data controllers are responsible for ensuring the DPIA is carried out. The DPIA should be conducted by those with appropriate expertise and knowledge of the project in question – normally the project team.
The DPIA should be conducted by people with appropriate expertise and knowledge of the project in question, normally the project team.
Under the GDPR, it is necessary for any organisation with a designated DPO (data protection officer) to seek their advice. This advice and the decisions taken should be documented as a part of the DPIA process.
Find out more about outsourcing when conducting a DPIA >>