GDPR Data Protection Impact Assessments (DPIAs) - Why and When?

Data Protection Impact Assessments (DPIAs) for the GDPR - Why and when?

Under the GDPR Data Controllers must carry out DPIAs to evaluate, in particular, the origin, nature, particularity and severity of the data risks in relation to the rights and freedoms of natural persons, before processing personally identifiable information (PII).

A DPIA covers off the measures, safeguards and mechanisms envisaged to mitigate potential data risks when a new project comes about, or when a current business process or practice needs revising.  A flexible approach to DPIAs is beneficial to the organisation so that they can track improvements against identified risks at a given point in time. This then provides evidence of the active work towards data compliance.

According to the GDPR, DPIAs must focus on those business processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes. To help understand this further these examples will help:

  • a systematic monitoring of a publicly accessible area on a large scale (e.g. CCTV, drones and body-worn devices)
  • a systematic and extensive evaluation of personal aspects relating to individuals which is based on automated processing and on which decisions are based that produce legal effects concerning individuals, or similarly significantly affect them (e.g. such as automatic refusal of an online credit card application, or e-recruiting practices that don't involve human intervention)
  • processing on a large scale of special categories of data (e.g. health, religion or ethnic origin) and
  • processing on a large scale of personal data relating to criminal convictions and offences.

What is the need for a Data Protection Impact Assessment (DPIA)?

To reduce a project’s privacy risks. A Data Protection Impact Assessment (DPIA) helps to identify and address risks at an early stage, and it does this  by analysing how the proposed uses of personal information and technology will actually work in practice, to then propose methods to mitigate these risks.

When to conduct a Data Protection Impact Assessment (DPIA)?

Undertake DPIAs during the planning phase of a new project, or when revisiting existing practices and processes. The Information Commissioners Office (ICO) suggests a flexible approach to DPIAs in that they allow for tracked changes to evidence risks that have been rectified.

If you are in any doubt as to whther a DPIA is neccessary the Guidance from the Article 29 Working Party (A29WP) suggests you carry one out.

For further practical advice on the GDPR read our Whitepaper – what you need to know, by signing up to Gravicus Osprey and gaining access to our Resource Centre & FREE DPIAs. You can also find out more about our data management tools - Osprey DPIA and Osprey Privacy.

Osprey DPIA

Your starting point for data compliance and beyond…

If you are just starting your GDPR journey or you’ve already made a start but need to validate your approach, Osprey’s FREE* DPIA tool is the first step to gaining insights into how your organisation collects, stores, uses, transmits, shares and protects personal information.

Osprey DPIA is the smart data solution driven by AI & purpose-built to analyse unstructured data for valuable insights to help:

  • manage compliance
  • regulatory risk
  • develop strategies for cyber risk
  • manage intelligent migration projects
  • data cleanse

Osprey DPIA takes you through the assessment step-by-step. It allows you to invite multiple users from different departments, teams or projects to input, and includes save and edit functionality, as well as historical tracking & recurring DPIA.

Sign Up to Osprey to access up to 5 FREE* DPIAs

GRAVICUS - Simply smart software and tools for data management and compliance

Further articles that maybe of interest are: