Data Protection Impact Assessment (DPIA)
A data protection impact assessment must always be conducted when the processing could result in a high risk to the rights and freedoms of individuals. Criteria which indicate this are for example:
- automatic decisions which lead to legal consequences for those impacted,
- systematic monitoring,
- processing of special personal data, data which is processed on a large scale,
- the merging or combining of data which was gathered by various processes,
- data about incapacitated persons or those with limited ability to act,
- use of newer technologies or biometric procedures,
- data transfer to countries outside the EU/EEC and
- data processing which hinders those involved in exercising their rights.
A privacy impact assessment is not absolutely necessary if a processing operation only fulfils one of these criteria. However, if several criteria are met, the risk for the data subjects is expected to be high and a data protection impact assessment is always required. If there is doubt and it is difficult to determine a high risk, a DPIA should nevertheless be conducted. This process should be repeated at least every three years.
In addition, the national supervisory authorities (ICO in the UK) have to establish and publish a list of processing operations which always require a data protection impact assessment in their jurisdiction (Blacklist). They are also free to publish a list of processing activities which specifically do not require a privacy impact assessment (Whitelist). If a company has appointed a Data Protection Officer, their advice must be taken into account when conducting a DPIA.
We carry out and/or give advice on DPIA’s.
Internal Audits & Information Asset Register
The GDPR contains explicit provisions about documenting your processing activities.
You must maintain records on several things such as processing purposes, data sharing and retention.
Documentation can help you comply with other aspects of the GDPR and improve your data governance.
For small and medium-sized organisations, documentation requirements are limited to certain types of processing activities.
Information audits or data-mapping exercises should feed into the documentation of your processing activities.
Records must be kept in writing, updated regularly and reflect your current processing activities.
For example, bespoke policy documents (Data Protection Policy, Information Security Policy), data protection register and Privacy Notice development and implementation.