What is a DPIA?
A Data Protection Impact Assessment (DPIA) is a risk assessment to demonstrate what risks apply to personal data. In some cases, it is a legal requirement to complete one. Our experts can help you with this decision.
A DPIA is basically a risk assessment relating to the processing of personal data. Not only is it a good idea to identify and minimise these risks, but it is also a legal requirement. It is also sometimes referred to as a PIA or Privacy Impact Assessment.
DPIAs help data controllers to comply with GDPR requirements and to demonstrate that compliance. A DPIA must be carried out before certain types of data processing.
You may have questions and concerns about performing a DPIA. GDPR may seem like a minefield for business owners who want to demonstrate compliance yet worry about the correct (and legal) way to process personal data.
These assessments can appear to be time-consuming, complex, and fraught with difficulties. If you are feeling confused or concerned about DPIA or GDPR then let us help make it easy, straightforward, and stress-free for you.
If you are feeling confused or concerned about a DPIA or GDPR then let us help make it easy
There are many benefits to completing a DPIA:
It is useful to think of a DPIA as more of an ongoing process than a one-off event. It is important for controllers to continually assess whether their data processing creates a risk to the rights and freedoms of the data subjects.
Not performing a DPIA when you need to immediately renders the processing unlawful and indicates a failure of the GDPR. This may lead to enforcement action from the ICO in the event of an investigation. If your data processing is subject to data protection impact assessment, then you must complete a DPIA.
Failure to conduct the DPIA in the correct manner or failure to contact the ICO when required can also result in serious enforcement action from the ICO, or other EU Supervisory Authority.
Under current regulations, you could incur a fine of up to £17.5 million, or 4% of your annual turnover (whichever is higher).
Primarily, you should assess whether a GDPR privacy impact assessment (or DPIA) is necessary for your business.
The first thing to ascertain is the level of risk created by your data processing. If it is likely that there is a high risk to individuals, then you will need to perform a DPIA.
UK GDPR states that you will need to perform a DPIA if you are going to:
Any major projects which involve processing personal data, or any large-scale monitoring or profiling, will most likely require a DPIA.
There are circumstances where a DPIA may not be needed. A publication which uses a mailing list to send a generic message to subscribers is not likely to require a DPIA. Similarly, a website which uses limited profiling to display adverts, based on a subject’s purchasing or browsing on its own website, would not trigger a DPIA. In such cases, the data controller should consult with the data protection officer and record the reasons for not carrying out a DPIA.
Contact us today and we can begin working immediately to ensure your system is legal.
Before processing data, you should consider the probability (and severity) of any potential risk to individuals. If you identify high levels of risk and a likelihood of harmful consequences to individuals, then you must act to mitigate that risk in every way that you can. If you are unable to mitigate the risk, then you will need to contact the ICO before you begin processing the data. The ICO will provide written advice within 8-14 weeks (depending on the complexity of the case).
You must have a lawful basis in order to process personal data. There are 6 bases, or legal reasons, that justify processing personal data:
There are several important steps that will need to be followed when performing a thorough data protection impact assessment:
The DPIA should be undertaken before you begin processing data and should continue through the planning and execution of your data processing project.
Considering the serious consequences of a data breach, taking a risk-based approach to data protection is a logical precaution. If your business collects, controls or processes data relating to individuals then it is important to understand your legal obligations and take whatever actions are appropriate.
Performing a DPIA will help ensure that your security measures are efficient and effective. It also means that you won’t waste time and resources on threats that are very unlikely to occur or would have a low negative effect on the individuals involved.
By conducting a DPIA in the initial stages of a project you can identify and address potential problems as early as possible. Taking a pre-emptive approach will have several benefits:
You will be far less likely to breach data regulations
Conducting a DPIA is particularly relevant when new data processing methods or technology are being used. Using new technological systems or innovative solutions may create a risk to the rights of individuals and should be accurately assessed before implementation. This could include such things as fingerprint or facial recognition technology, fitness apps and similar software applications. Any novel ways of collecting or using data can trigger the need for a DPIA.
Although not clearly defined, processing on a large scale may mean the number of data subjects, the size of the portion of the population, the geographical extent as well as the volume of data being processed, and the duration of the processing. Large processing operations may present large-scale risks and require a DPIA to assess.
Monitoring systems pose a particular threat as individuals may not be aware that they are being monitored, or be able to avoid being monitored, for example, CCTV cameras in public places. The data collected, held, and processed may risk the rights of subjects. Social media data gathered for generating a profile, camera monitoring of employees, and internet activity are all examples of systemic monitoring. A DPIA will help assess and mitigate any risk.
Vulnerable subjects could mean the elderly, children, asylum seekers, employees, individuals with mental illness, hospital patients etc. In these cases, there may be a power imbalance between the data controller and the data subject. The subject may not be capable of knowingly consenting to (or opposing) the processing of their personal information. A DPIA is required due to the inherent high risk in these circumstances.
In summary
A DPIA is an invaluable process to assess and manage risks to the rights and freedoms of data subjects (individuals). The purpose of the DPIA is to identify potential risks and enable controllers to find ways to mitigate the risks. A DPIA helps controllers to be compliant with GDPR and to demonstrate legal compliance.
What to do next:
How much will this cost?
A DPIA can vary depending on the size and scale of the project or processing activity.
A minor DPIA can take as little as half a day, which includes the time we spend auditing and learning the data flows in the environment, ahead of drafting the document.
A significant DPIA for a high-risk activity can take several months of drafting, analysis of the results and then re-drafting to address any undue risks. Where the rights and freedoms of individuals cannot be mitigated by the DPIA, you may need to engage and liaise with the appropriate Supervisory Authority (UK ICO).
Our standard fees are £150. If our Senior Global Privacy Consultants are required for the more complex, multi-territorial engagements, fees are £250 per hour.
What next?
Get in touch via our contact us page, tell us about your business and a member of our team will get back to you.
Other services you may be interested in from PRIVACY HELPER
GDPR Consultancy
Our Privacy Team consists of expert data protection consultants in the fields of IT & Technical, Legal, Records Management and Marketing.
GDPR Training Courses
An effective, demonstrable training programme can be the difference between the ICO imposing monetary fines – or not, even if your data privacy programme has just started.
