Data protection risks are best addressed when the system or process is i) new and in the process of being designed, or ii) in the process of undergoing major changes.
Introducing changes to address data protection risks after the design of a process or system has been finalised or implemented will likely lead to increased cost and effort.
Some examples of when to conduct a DPIA include:
- Creating a new system that involves the handling of personal data (e.g. new
website that collects personal data)
- Creating a new process, including manual processes, that involves the handling of personal data (e.g. receptionist collecting personal data from visitors)
- Changing the way that existing systems or processes handle personal data (e.g. redesign of the customer registration process)
- Changes to the organisational structure that affecting the department handling personal data (e.g. mergers and acquisition, restructuring)
Individual DPIAs should be conducted for each system or process that involve the handling of personal data (including the linking or sharing of personal data with other parties). For the purpose of this Guide, the term “projects” will be used to refer to such systems or processes.
It is also possible for a DPIA to be conducted for multiple projects that are similar in purpose, scope and context. For instance, a retail organisation that intends to digitize the collection of consumer data across all its branches may conduct one DPIA exercise that covers the handling of consumer personal data across branches.
Who should be involved in a DPIA?
An effective DPIA should involve relevant stakeholders from various functions of the organisation (e.g. the project manager, the organisation’s Data Protection Officer, IT department) and where needed, relevant external parties (e.g. subject matter experts), to identify, assess and address the data protection risks. The person leading the DPIA (henceforth “DPIA lead”) should ideally be the project manager or the organisation’s Data Protection Officer.
The below table lists out typical roles and responsibilities of key parties involved in the DPIA. This Guide will assume that the DPIA lead is the project manager.
Who is involved? : Who are they?
What is their role in the DPIA
Person in charge of the project
- DPIA lead, overall in-charge of the DPIA and could
be supported by a DPIA team
- Assesses the need for DPIA, plans the DPIA, and
conducts the DPIA
- Identifies and seeks input from relevant
stakeholders, including project team, on:
- potential data protection risks and challenges to
the project from an implementation perspective
- how identified personal data protection risks should be addressed and possible solutions
- Documents DPIA report (which includes proposing detailed action plan) for management approval
- Monitors DPIA outcomes, reviews the DPIA when there is a change in risks to personal data protection
Data Protection Officer (DPO)
Person responsible for creating and enforcing the Data
Protection policies within the organisation
May tap on DPO networks or associations for resources or advice from other DPOs to guide the DPIA lead on carrying out the DPIA
- Advises DPIA lead through the DPIA process, including
- Identifying and mitigating identified data protection risks by providing support based on best practices adapted to organisation’s needs and circumstances
- Defining and applying the risk assessment framework
- Ensuring that DPIAs are conducted according to the organisation’s policies, recommends improvement to DPIA methodology based on industry best practices
- Reviewing DPIA report prior to submission to management
- Develops the templates / DPIA questionnaire necessary to complete the DPIA
- Assists in reviewing the DPIA when there is a change in risks to personal data protection.
Other organisational functions or departments that have some level of involvement in the project, external parties such as subject matter experts or even potentially affected individuals, where needed.
- Provides input on potential risks and challenges to the project with respect to their function. For example:
- Information Technology (IT): Advising the DPIA lead on possible IT solutions and security risks in implementing measures to protect personal
data. This may also include advising on potential challenges on system design and development.
- Customer Service or Communications: Advising the DPIA lead on possible consumer impact (e.g. in terms of usability) if the DPIA outcomes warrants a change to consumer interaction or day-to-day operations.
- Human Resource or Staff Capability: Advising on the appropriate training programmes or resources should the DPIA outcomes require staff to be able to carry out new data protection measures or activities.