Under the GDPR you will be required to carry out Data Protection Impact Assessments (DPIA), involving your DPO (if you have one) where the data processing represents a “high risk to the rights and freedoms of the data subjects”. Read on to understand this requirement.
What is a DPIA?
A DPIA (also known as privacy impact assessments or PIAs) is an evaluation of the impact of a data processing operations on the protection of personal data, specifically an assessment of the probability and severity of risks of the rights and freedoms of individuals resulting from your processing operation.
It should be noted that the GDPR does not require a DPIA to be carried out for every processing operation which may result in risks for the rights and freedoms of natural persons – just where the risk is deemed particularly high.
High-risk processing is defined as processing a considerable amount of personal data at regional, national or supranational level; which affects a large number of individuals; and involves a high risk to individuals’ rights and freedoms e.g. based on the sensitivity of the processing activity.
Example: Some examples of high risk processing include:
- Profiling a data subject using automated processes to make decisions. This refers to the risk that a potentially damaging decision is taken without human intervention during the process of that decision being made.
- Large quantities of sensitive data where there has been explicit previous consent. This is further caveated by Member State Law which may prohibit such data from being used at all – ethnic origin, political opinions, religious beliefs, trade union memberships, genetic data, biometric data, philosophical beliefs, health data, sexual orientation is strictly prohibited.
- Systematically monitoring publicly accessible areas on a large scale such as a shopping centre, especially when using technology such as CCTV, or for any other operations where the competent supervisory authority considers that the processing is likely to result in a high risk to the rights and freedoms of data subjects.
- Data concerning vulnerable subjects, such as employees, children and the elderly.
- Where public authorities or bodies intend to establish a common application or processing platform, or where several controllers plan to introduce a common application or processing environment across an industry sector or segment.
When is a DPIA definitely required? Some examples…
When might a DPIA not be required?*
* Please note: Though unlikely, it is possible that one or more of the above examples could potentially need a DPIA, depending on the specific scenario. If you are unsure then we can help you to assess the requirement.
7 Steps to Plan Your Approach to DPIAs
DPIAs will play an important role under the GDPR. Data controllers must take their obligation seriously. If you identify that you need to undertake DPIAs, follow these 7 steps to establish a cyclical process to carrying out a DPIA:
- Give a detailed description of what data you are intending to process.
- Assess the necessity and proportionality.
- Devise the measures you intend to demonstrate to evidence compliance.
- Assess the risk to the rights and freedoms of the data subjects.
- Devise measures to address and mitigate the identified risk.
- Produce full documentation for auditing processes.
- Monitor and review the process.
DPIA Process Checklist
Use this checklist to help you implement these 7 steps by way of a process:
DPIA Elements Checklist
Use the checklist below to include the following key points in your DPIA:
DPIAs are a pragmatic way for data controllers to implement data processing systems that fully comply with the GDPR. They are scalable and can take on different forms, but the GDPR sets out the basic requirements of an effective DPIA.