Data protection impact assessments under the GDPR
Data protection impact assessments (DPIAs) help organisations identify, assess and mitigate or minimise privacy risks with data processing activities. They’re particularly relevant when a new data processing process, system or technology is being introduced.
DPIAs also support the accountability principle, as they help organisations comply with the requirements of the General Data Protection Regulation (GDPR) and demonstrate that appropriate measures have been taken to ensure compliance.
Failure to adequately conduct a DPIA where appropriate is a breach of the GDPR and could lead to fines of up to 2% of an organisation's annual global turnover or €10 million – whichever is greater.
Why should a DPIA be conducted?
The GDPR mandates a DPIA be conducted where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”. The three primary conditions identified in the GDPR are:
- A systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
- Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.
- Systematic monitoring of a publicly accessible area on a large scale.
When should a DPIA be conducted?
A DPIA should be conducted as early as possible within any new project lifecycle, so that its findings and recommendations can be incorporated into the design of the processing operation.
Known as privacy by design, the embedding of data privacy features into the design of projects can have the following benefits:
- Potential problems are identified at an early stage.
- Addressing problems early will often be simpler and less costly.
- Increased awareness of privacy and data protection across the organisation.
- Organisations will be less likely to breach the GDPR.
- Actions are less likely to be privacy intrusive and have a negative impact on individuals.
Who should be involved in conducting a DPIA?
The organisation (data controller) is responsible for ensuring the DPIA is carried out.
The DPIA should be driven by people with appropriate expertise and knowledge of the project in question, normally the project team. If your organisation does not possess sufficient expertise and experience internally, you may consider bringing in external specialists to consult on or to carry out the DPIA.
Under the GDPR it is necessary for any organisation with a designated data protection officer (DPO) to seek the DPO’s advice. This advice and the decisions taken should be documented as a part of the DPIA process.
Examples of personal data processing where a DPIA is likely to be required
- A hospital processing its patients’ genetic and health data on its information system.
- The archiving of pseudonymised personal sensitive data from research projects or clinical trials.
- An organisation using an intelligent video analysis system to single out cars and automatically recognise registration plates.
- A company systematically monitoring its employees’ activities, including their workstations and Internet activity.
- The gathering of public social media data for generating profiles.
- An institution creating a national-level credit rating or fraud database.
The Article 29 Working Party (WP29), in its guidelines on DPIAs, sets out the criteria that organisations should consider when determining the risks posed by a processing operation. The more criteria that are met by processing, the more likely it is to present a high risk to the rights and freedoms of individuals, and therefore to require a DPIA. Read the WP29 guidance on DPIAs >>
Key elements of a successful DPIA
The GDPR does not specify which DPIA process must be followed, but instead allows for organisations to introduce a framework that complements their existing working practices. Conducting privacy impact assessments code of practice, from the Information Commissioner’s Office (ICO), is an example of such a framework. Learn more >>
A DPIA will typically consist of the following key steps:
- 1. Identify the need for a DPIA.
- 2. Describe the information flow.
- 3. Identify data protection and related risks.
- 4. Identify data protection solutions to reduce or eliminate the risks.
- 5. Sign off the outcomes of the DPIA.
- 6. Integrate data protection solutions into the project.
Our solutions to help you conduct a DPIA
Learn in this one-day workshop when and how to conduct a DPIA under the GDPR.
Find out more >>
Book our fixed-price DPIA service and get an assessment of the data protection risks associated with a new or existing data processing operation within your organisation.
Find out more >>
Receive a complete set of documentation templates that are easy-to-use, customisable and ensure GDPR compliance with the market-leading EU GDPR Documentation Toolkit, including a data protection impact assessment template and tool.
Find out more >>
Speak to an expert
Please contact our GDPR team for advice and guidance on our products and services.
Call: +44 (0)333 800 7000