What is A Data Protection Impact Assessment (DPIA)?
Data Protection Impact Assessments (DPIA) are a requirement of the UK GDPR. The assessment aids in compliance with the data protection requirements and obligations. It’s aim is to help firms identify the risks associated with data processing and those posed to data subjects.
Completing a DPIA is mandatory for certain organisations and types of data processing, enabling a pre-emptive approach to assessing risks and applying corrective actions before an issue occurs. When assessing risks associated with data protection, firms should be looking to either eliminate, reduce or accept the identified risks.
Where an impact assessment indicates that the data processing will (or is likely to) result in a high risk to an individual and a firm is unable to mitigate such risk(s), they must consult the Commissioner (previously referred to as the Supervisory Authority) prior to the processing taking place.
Assessing Risks to Personal Data
Individuals must be confident that any organisation processing their personal data is doing so in accordance with the UK GDPR, as tailored by the DPA18. Privacy and confidentiality of such information must be a priority.
Where the risks of processing are high, businesses must use data protection impact assessments to assess the risk, the impact and the likelihood. An assessment also evaluates and records the origin, nature, particularity and severity of that risk, along with the processing purpose, reasons and mitigating measures and/or proposed solutions.
Our GDPR Document Toolkit is an industry leader with thousands of organisations already using the templates & policies.
GDPR Requirements for DPIA’s
Article 35(3) of the UK GDPR (and associated Recitals) specifies the conditions as to when completing a DPIA is necessary. Below is a non-exhaustive list of activities that should involve a DPIA as provided by the Regulation and the ICO. However, each data processing activity should also be evaluated on its own merits to determine if processing is likely to result in high risk.
Pursuant to Article 35(3) and Recitals 84, 89-96, processing that is likely to result in a high risk includes: –
• Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person(s)
• Processing on a large scale of special categories of data
• Processing on a large scale of personal data relating to criminal convictions and offences
• Systematic monitoring of a publicly accessible area on a large scale (i.e. CCTV)
• Where a processing operation is likely to result in a high risk to the rights and freedoms of an individual
• Those activities or processing operations involving the use of new technologies
• New processing activities not previously used
• Processing considerable amounts of personal data at regional, national or supranational level, which could affect many data subjects
• Processing activities making it difficult for the data subject(s) to exercise their rights.