Data Protection Impact Assessments
Data protection impact assessments (DPIAs)assist organisations to identify, assess and alleviate or diminish privacy risks with personal data processing activities. They’re particularly needed when new data processing process, platform or system is being introduced.
DPIAs also defines the accountability and responsibility principle, as they help organisations comply with the requirements of the General Data Protection Regulation (GDPR) and demonstrate that appropriate measures have been taken to ensure compliance.
Failure to conduct a DPIA where it is needed is a breach of the GDPR and could lead to fines of up to 2% of an organisation’s annual global turnover or €10 million – whichever is greater.
When should a DPIA be conducted?
A DPIA should be conducted at the earliest point within any new project lifecycle, so that its findings and guidance can be immersed into the design of the processing operation.
When the embedding of data privacy features Privacy by Design, is placed into the design of projects can result in but not limited to the following benefits:
- Potential problems are identified at an early stage and can be remediated.
- Eliminating problems early into the project will often reduce costs .
- An better understanding of privacy and data protection across the organisation.
- Organisations will be less susceptible to data breaches.
- Project delivery will have a less detrimental effect on data subjects .
Key pillars of a successful DPIA
The GDPR data regulation does not specify a certain DPIA process to be followed, but alternatively allows for organisations to design a framework that supplements their existing working practices.
(DPIAs) are an integral part of taking a Privacy by Design approach.
A DPIA will typically consist of the following key steps:
- Assess the need for a DPIA.
- Delineate the information flow.
- Identify personal data protection and related risks.
- Design data protection solutions to mitigate or eliminate the risks.
- The DPO signs off on the outcomes of the DPIA.
- Integrate data protection solutions into the project.
In addition to the reduction in data privacy risks within a project, Data Privacy Impact Assessments (DPIAs) will enhance the protection of data subjects data which in turn decreases risks of damage to individuals through the misuse of their personal information. It can also lead to improved data handling processes, less load on resources and better awareness within the organisation
DPIA’s should not be seen as a stand alone process as it can be easily embedded into your existing project and risk management framework. This will reduce the workload on the resources needed to conduct the assessment.
What is “privacy by design”?
Privacy by design as outlined in article 25 of the GDPR is an approach that promotes privacy and data protection compliance from the start. Regrettably , they are often implemented late or as an afterthought or not started at all.
Data protection by design and default is a requirement of the GDPR Data Protection Act, and will assist organisations comply with their obligations under the legislation.
Benefits of taking a “privacy by design” approach
The advantage of taking the above approach can be rewarded with the following,
- Potential issues are identified at an early stage, when addressing them will often be simpler and decrease any costly reworking of project elements.
- Increased awareness of privacy and data protection across an organisation.
- Organisations are more likely to meet their legal obligations and less likely to breach the Data Protection Act.
- Actions are less likely to be privacy intrusive and have a negative impact on individuals.
Who should be involved in conducting a DPIA?
As an organisation that is collecting and storing personal identifiable information, you are responsible for ensuring that a DPIA is carried out.
The DPIA should be driven by resources with appropriate expertise and knowledge of the project being proposed normally the project team. If your organisation does not possess sufficient expertise and experience internally, you should consider bringing in external specialists to consult on or to carry out the DPIA.
Under the GDPR it is necessary for any organisation with a designated data protection officer (DPO) to seek the appropriate advice. This advice and the decisions taken should be documented as a part of the DPIA process.
Relentless Data Privacy has expertise and broad industry knowledge of leading DPIA assessments for internal project teams. Launching in late April the Relentless GDPR 24/7 platform incorporates the DPIA workflow.