Data Protection Impact Assessment (DPIA)

Context:

The data protection impact assessment is the key documentary requirement which arises in the GDPR. It’s purpose is to ensure that risks to the personal information of individuals have been considered and, where risks are identified, mitigated. It is a mandatory requirement in some instances but is advised across all processing of personal information. Having a robust DPIA process, history and evidence will stand an organisation in good stead should any issues arise with the processing of personal data. Where a Data Protection Officer is either required or chosen out of good practice, the creation and monitoring of the DPIA is a key part of their role.

Considerations:

A DPIA is mandatory in the following circumstances:

• Automated decision making and creation of profiles is taking place
• Large scale and systematic processing of personal information is taking place

It is strongly advised that a DPIA takes place when:

• There is a change in processing operations
• There is a change in the risk to data subjects
• New systems or technology are being implemented

It is also key to make sure that the creation of the DPIA takes place prior to any processing or change in processing of personal information.

Some exemptions exist for health care professionals and lawyers. Processing of personal information within these roles does not attract a mandatory DPIA requirement.

If an organisation suffers a data breach or an unmitigated high risk is identified then a copy of the DPIA will need to be provided to the national supervisory authority.

Having a robust and comprehensive set of DPIAs is an effective part of demonstrating compliance with the GDPR. Being able to demonstrate and monitor compliance with the regulation is a mandatory requirement – something with which the Gydeline can also assist.

How to:

Where your organisation has a data protection officer or an individual performing that role ensure you assign them responsibility for competing the DPIA. It is also a requirement of the GDPR that you take the advice of the DPO where this role exists.

Prior to any processing of personal data:

1. Consider all the scenarios where personal data is processed
2. For these processing operations document the following:
   1. A description of the processing
   2. The purpose of the processing
   3. An assessment of the necessity of the processing
   4. An assessment of the risks presented to individuals
   5. An assessment of any impact to the rights of individuals
   6. A description of the measures (both organisational and technical) that have/will be implemented to address any highlighted risk
   7. Any legitimate interest related to the processing
3. Set a schedule to review the completed DPIA

Where the DPIA has identified risks to individuals that have not or cannot be mitigated, the supervisory authority must be informed. It is important to inform them prior to any processing taking place.

If for any reason the advice offered by the DPO is not taken, the reasons for not following the DPOs advice should also be documented as part of the DPIA.

A simple DPIA template is available from Gydeline.

Common Scenarios:

The organisation launches a new service

• As part of the plan to rollout the new service, schedule a DPIA to occur before the service is launched, considering that time may be needed to mitigate any risks to the processing of personal data that are identified.

A website form is changed

• Review if there is any change to the personal data collected and also consider if this data collection can be minimised. Describe any new risks and document the technical security measures such as encryption that surround the form whilst it is being stored, retrieved or otherwise processed. Set a schedule to review this processing and measures and store the DPIA document with other completed DPIAs.

References:

• GDPR Recitals: 76, 77, 83, 84,89, 90, 91-95, 97
• GDPR Articles 32, 35, 36, 39