What is a Data Protection Impact Assessment?

Posted · Add Comment

So, we’re told that certain types of processes and complex processes require a data protection impact assessment. What on earth is that anyway. In short, it’s where a process is likely to result in a high risk to individuals.

Thinking about it practically, it is only a way to record the decisions that are made once research into what risks an organisation faces when processing personal data in a particular way. There are two things to do to prepare for a data protection impact assessment. Complete a data audit and create your internal documentation. These two things will determine the rules your organisation will operate under.

As I’m already fed up writing data protection impact assessment all the time, let’s use its abbreviation: DPIA. That’s much easier to handle and it’s how they are most commonly referred to.

What are the Main “Markers” for a DPIA to be Completed?

This will not apply to everyone, particularly smaller organisations, but you must complete a DPIA if:

  • The process uses systematic and extensive profiling with significant effects;
  • The process uses special category or criminal offence data on a large scale; or
  • The process will systematically monitor publicly accessible places on a large scale.

Other than that, there’s a long list of potential reasons for a DPIA. Let’s try to summarise this as much as possible:

  • When implementing new major projects.
  • Automation when, evaluating, scoring, making decisions, systematic monitoring.
  • Large scale profiling.
  • Combine, compare, or match data from multiple sources.
  • A change in the nature, scope and context, or purpose for processing personal information.

A lot of the things listed above would mean that the decision to perform a data protection impact assessment is based on perception.

Many smaller organisations will skip this completely because they do not think that a process of theirs would qualify.  In reality every organisation that runs ecommerce should undertake a DPIA. A person’s bank details, if lost, are considered to be information likely to cause significant impact to that person. Therefore, it should be classified as a high risk process.

So What Does a Data Protection Impact Assessment Look Like?

After saying everything above, completing a DPIA is just like completing a project. After all, and put very simply, there are particular steps to go through after all. However, it’s also important to make the decisions purely on the evidence of the DPIA. Not tailored on the desire to implement the process. This, in regulatory terms, is called Data Protection by Design and should underpin everything you base you processes on.

At a high level a DPIA looks like this.

One thing to note here is that the fourth step, “Assessments” means assess the necessity and proportionality of the process for the company and against the principles of data protection.

You need to follow each step and write down what each step implies as actions for the next. The final decision on whether you go ahead or not should be solely governed by what is found when completing the DPIA.

What Should I Get Out of a DPIA?

What you should get out of the process is whether:

  1. You have identified a process that requires a DPIA or not.
  2. The areas of the process that require the particular attention.
  3. A check point with the ICO – if applicable (but it’s an important decision).
  4. Knowledge of what the risks are within the process.
  5. Knowledge of how to mitigate them, in whole or part, and/or live with the risk.
  6. An understanding as to whether the process is viable from a data protection standpoint.
  7. A plan to implement the changed process into your business as usual activities.

What else is there to consider?

Whether you give it it’s full title of Data Protection Impact Assessment, or its abbreviated to DPIA, this is an essential tool to get to know. If you are investigated by the ICO, for any reason, having documentation supporting your decisions helps immensely. There is a big difference between a financial penalty and an enforcement order. Neither are nice, but one is a whole lot less impact on the company’s wallet!

A lot can be understood from your internal documentation. Visit http://eye.validusmedia.com/what-internal-documents-do-i-need-for-gdpr/ to see what you can do to prepare for a DPIA by setting your standards.

There is so much more information available, some of it very detailed. Please look through the other blogs and see if the information you want is provided.

If not, we would be pleased to answer your enquiry through enquiries@eye.validusmedia.com , or by calling 0743211611.

Alternatively visit https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information direct from the ICO.

Leave a Reply

Your email address will not be published. Required fields are marked *