The European Union's General Data Protection Regulation (GDPR) is an ambitious new legislation that impacts all businesses that collect or process personal data. It aims to provide more excellent protection for individuals by imposing several obligations on organisations that process personal data. One is a ‘Data Protection Impact Assessment’ (DPIA) requirement. This post explains a DPIA and how it can help you meet your GDPR obligations.
When must a data protection impact assessment be carried out?
As a general rule, the GDPR requires a DPIA to be carried out for any new project involving the processing of personal data. This includes projects that involve large-scale or systematic monitoring of individuals on a large scale and also those that involve regular and frequent profiling (including analytics).
In addition, there are other circumstances where you may need to carry out a DPIA:
If you want to use new technologies in connection with your processing activities (e.g., Artificial Intelligence), you should consider carrying out a DPIA;
When there is an increase in risk because of changes in technology or business practices;
When internal or external stakeholders raise concerns about the security measures taken by your organisation;
When there is an impact on an individual's rights and freedoms; and
How to carry out a data protection impact assessment
The DPA's guide on data protection impact assessments (DPIAs) provides a framework for assessing, managing and minimising the risks to individuals concerning data processing.
This guide will help you identify the processing operations, purposes and recipients of your organisation's personal data processing activities. It also asks questions about how you can reduce the risk of re-identification of individuals by linking their details across databases and how your business can respond if there is a security breach or accidental loss of information.
The DPA outlines three steps that organisations should take when carrying out a DPIA:
Identify the processing operations and purposes - what do we process?
For what purpose?
Who has access to this information?