Data Protection Impact Assessment (DPIA) explained

The world of GDPR representation, data protection and associated regulations such can be difficult to navigate. How do you assess where the major compliance risks are for your organisation? What methods and processes should you utilise (and who should own them?).

In this article, we take a look at the Data Protection Impact Assessment (DPIA), a process critical to compliance when processing activities are likely to result in a high risk to individuals (read on for what constitutes high risk).

We cover what a DPIA is, when and how you should conduct a DPIA. 

What is a DPIA

A DPIA is a process that an organisation must conduct when its processing activities are likely to result in a high risk to individuals (GDPR Articles 35 and 36).

Processing activities that are likely to result in high risk include:

• Processing that involves the use of innovative technology such as artificial intelligence, machine learning and smart technologies
• Decisions about an individual’s access to a product or service, opportunity or benefit based on automated decision making including profiling such as credit checks, mortgage applications or pre-check processes
• Profiling of individuals on a large scale such as data processed by smart meters and IoT applications
• Biometric data processing on an individual such as the use of facial recognition systems and workplace access systems and identity verification software
• Genetic data processing (apart from GP processing) such as medical diagnosis software, DNA testing and medical research
• Data matching processing combining, comparing or matching personal data for such uses as fraud prevention or direct marketing
• Invisible processing where personal data has not been obtained directly from the individual such as list brokering, direct marketing, and online tracking
• Geolocation tracking processing that involves the use of IoT applications, web and cross-device tracking and tracing services

A DPIA done properly should identify and minimise these data protection risks. A DPIA is also a very important function in ensuring data protection compliance. 

To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals that a change to your systems, operational activities and processes may bring such as for example when you migrate personal data from an existing software platform to a new supplier’s software product.

Conducting a DPIA will also achieve effective compliance resulting in financial and reputational benefits as well as evidencing accountability for your processing activities under GDPR, it can also go a long way in building trust and confidence across individuals from prospects to customers.

A DPIA is a formal process that needs to be embedded into your organisational compliance processes by maintaining appropriate records of when a DPIA was conducted, the reasons for doing so and the risks identified and mitigated against.

When to conduct a DPIA?

You must conduct a DPIA before you begin any type of processing that is likely to result in a high risk. 

In particular, the GDPR says you must conduct a DPIA if you plan to:

• use systematic and extensive profiling with significant effects;
• process special category or criminal offence data on a large scale; or
• systematically monitor publicly accessible places on a large scale.

You should also think carefully about doing a DPIA for any other processing that is large-scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals.

It is good practice to conduct a DPIA for any major new project involving the use of personal data.

How to conduct a DPIA?

A DPIA should be managed by taking a staged process that involves:

• Identifying the need for a DPIA
• Describing the processing activity
• Consulting within and outside your organisation with individuals who will be involved in the processing such as software suppliers, your DPO, lawyers, CISO, CIO and data processors
• Assessing and considering the proportionality of the processing
• Identifying the risks involved
• Identifying suitable measures to mitigate any risk against the possibility of a data or security breach
• Obtaining final approval from stakeholders for the processing activity with a formal sign-off of the DPIA taking account of recommendations from your DPO, lawyer and CISO
• Integrating and embedding the new processing activities across the organisation
• Monitoring and keeping under review the processing activity by documented records to evidence compliance

GDPR Rep is on a mission to help every business achieve and maintain GPDR representation. If you are looking into how your organisation can fulfil its requirements why not schedule a no-commitment call with a GDPR representative expert today, or get a quote to understand how our value pricing makes compliance simple.