Since GDPR’s implementation, consumers have become increasingly aware of the importance of data protection. As a result, the general public want reassurances that businesses they interact with have proper safeguards in place to protect their information.
Privacy legislation is in a continual state of change; staying up to date and understanding obligations can often be confusing for companies, particularly when it comes to carrying out a Data Protection Impact Assessment (DPIA). If your organisation processes data likely to present a high risk to the rights and freedoms of individuals, DPIAs become a legal requirement.
But what constitutes high risk, and how often should a DPIA be performed? To help answer these questions and give a useful overview, data protection service provider The DPO Centre explores the topic further.
DPIAs: What are they, and why do they matter?
First, it’s important to understand what a Data Protection Impact Assessment is.
In short, a DPIA is a process used by privacy professionals to identify and mitigate data protection risks associated with the processing of personal data. At their core, DPIAs are a risk assessment tool enabling organisations to show compliance with the principles of the GDPR and help reduce the possibilities of a data breach.
By conducting DPIA’s, companies can proactively identify the risks and analyse potential impacts associated with personal data processing. As mentioned, these assessments are a legal requirement for a number of businesses, but many companies choose to carry out a DPIA due to the additional risk reduction benefits they can bring.
DPIAs offer many advantages, building confidence among stakeholders and investors, identifying measures to increase consumer trust and growing data protection awareness among employees. Beyond mere compliance, the assessment process is a cost-effective way to integrate data protection into the core of a business and build a good reputation. Proper implementation can uncover privacy risks early, allowing for better processes at inception, rather than treating data protection as an afterthought.
When is a DPIA required?
Under the GDPR and UK GDPR, a DPIA is required whenever the activity of processing EU and/or UK personal data is likely to result in a high risk to the rights and freedoms of individuals. To qualify as high risk, data processing activities will meet certain criteria. The following are considered high risk activities for which a DPIA must be undertaken:
- Systematic and extensive evaluation/profiling that will have significant effects: this is the processing of substantial amounts of data and making decisions based on evaluations or profiles that could significantly affect individuals
- Large scale processing of special category or criminal conviction data: this is data that includes sensitive information such as race, ethnic origin, health data, and religious beliefs
- Systematic monitoring of public areas: for example, surveillance/CCTV cameras in busy places
There are further situations that may indicate high risk. In these cases, you may not be mandated to carry out an assessment, but it would be advisable to do so:
- Evaluating or scoring individuals: for example, building a profile of individuals’ preferences to inform commercial marketing decisions
- Processing information about people considered vulnerable: this includes, children, the elderly, or individuals with disabilities
- Automated decision making with legal or significant effects: for example, the use of systems to approve/reject credit applications
- Matching or combining information from multiple sources: such as collecting multiple datasets and combining them into one
- Processing data on a large scale
- Using individuals’ biometric or genetic information
- Invisible processing, where the individual does not know you have their information
- Tracking individuals online or using technology to track people in the real world
- Any time there is a risk of physical harm to people
Best practices
Effective DPIAs require careful planning to reach their full potential for analysing, identifying and mitigating risks. An experienced Data Protection Officer (DPO) will advise on the best course of action and preparation, but some general guidelines to consider are:
- Involve relevant stakeholders. Iif using third parties, you may wish to also involve them.
- Carry out a screening assessment to determine if the activity is high risk, and if so, you must proceed to a DPIA
- Assess all risks, technical and non-technical and decide if a DPIA is required
- Reduce risks, either by implementing new processes, procedures or by gathering less data
- Review throughout the lifecycle of a project, especially when there are any company or legislation changes
It is vital to document your decision-making throughout the entire process, as well as explaining why you believe risks have been appropriately reduced.
How to apply DPIA findings to your business
A DPIA is only as effective as the actions taken in response to findings. Developing an action plan is key, and may include implementing new processes, technologies or training programmes. Concerning the implementation of any changes, relevant personnel and stakeholders should be informed of any steps being taken. Monitor and review the impact of these changes to ensure the strategies are working as intended and, if not, make adjustments accordingly. Finally, document everything – this is crucial for demonstrating compliance with data protection regulations.
Summary
As this article has explored, DPIAs are not only a legal requirement under the GDPR for high-risk data processing but also a proactive step to prevent data breaches.
DPIAs are not a one-time process, but instead should be seen as a tool for continuous improvement and revisited as your business evolves, new technologies are adopted, or regulatory requirements change. By maintaining a disciplined approach to data protection, your business can strengthen its reputation and continue to grow and maintain customer trust.