Data Protection Impact Assessments

Data protection impact assessments (DPIAs)assist  organisations to identify, assess and alleviate or diminish  privacy risks with personal data processing activities. They’re particularly needed  when new data processing process, platform or system is being introduced.

DPIAs also defines the accountability and responsibility principle, as they help organisations comply with the requirements of the General Data Protection Regulation (GDPR) and demonstrate that appropriate measures have been taken to ensure compliance.

Failure to conduct a DPIA where it is needed  is a breach of the GDPR and could lead to fines of up to 2% of an organisation’s annual global turnover or €10 million – whichever is greater.

 

When should a DPIA be conducted?

 

A DPIA should be conducted at the earliest  point within any new project lifecycle, so that its findings and guidance  can be immersed into the design of the processing operation.

When the  embedding of data privacy features  Privacy by Design, is placed into the design of projects can  result in but not limited to the following benefits:

  • Potential problems are identified at an early stage and can be remediated.
  • Eliminating  problems early into the project will often reduce costs .
  • An better understanding of privacy and data protection across the organisation.
  • Organisations will be less susceptible to data breaches.
  • Project delivery will have a less detrimental effect on data subjects .

 

Key pillars of a successful DPIA

 

The GDPR data regulation does not specify a certain DPIA  process to be followed, but alternatively allows for organisations to design a framework that supplements  their existing working practices.

(DPIAs) are an integral part of taking a Privacy by Design approach.

A DPIA will typically consist of the following key steps:

  1. Assess  the need for a DPIA.
  2. Delineate  the information flow.
  3. Identify personal data protection and related risks.
  4. Design data protection solutions to mitigate or eliminate the risks.
  5. The DPO signs off on the outcomes of the DPIA.
  6. Integrate data protection solutions into the project.

 

 

In addition to the reduction in data privacy risks within a project,  Data Privacy Impact Assessments (DPIAs) will enhance the protection of data subjects data which in turn decreases  risks of damage to individuals through the misuse of their personal information. It can also lead to improved data handling processes, less load on resources and better awareness within the organisation

DPIA’s should not be seen as a stand alone process as it can be easily  embedded into your existing project and risk management framework. This will reduce the workload on the resources needed  to conduct the assessment.

 

What is “privacy by design”?

 

Privacy by design as outlined in article 25 of the GDPR  is an approach that promotes privacy and data protection compliance from the start. Regrettably , they are often implemented late or as an afterthought or not started at all.

Data protection by design and default is a requirement of the GDPR Data Protection Act, and will assist  organisations comply with their obligations under the legislation.

 

Benefits of taking a “privacy by design” approach

 

The advantage of taking the above approach can be rewarded with the following,

  • Potential issues  are identified at an early stage, when addressing them will often be simpler and decrease any costly reworking of project elements.
  • Increased awareness of privacy and data protection across an organisation.
  • Organisations are more likely to meet their legal obligations and less likely to breach the Data Protection Act.
  • Actions are less likely to be privacy intrusive and have a negative impact on individuals.

 

Who should be involved in conducting a DPIA?

 

As an organisation that is collecting  and storing personal identifiable information, you are responsible for ensuring that a DPIA is carried out.

The DPIA should be driven by resources  with appropriate expertise and knowledge of the project being proposed normally the project team. If your organisation does not possess sufficient expertise and experience internally, you should consider bringing in external specialists to consult on or to carry out the DPIA.

Under the GDPR it is necessary for any organisation with a designated data protection officer (DPO) to seek the appropriate advice. This advice and the decisions taken should be documented as a part of the DPIA process.

Relentless Data Privacy has expertise and broad industry knowledge of leading DPIA assessments for internal project teams. Launching in late April the Relentless GDPR 24/7 platform incorporates the DPIA workflow.