Data Protection Impact Assessments
The Data Protection Impact Assessment (DPIA) is mandatory if you process personal data in a way that might present a high risk to people.
For example, processing of information that automatically profiles individuals, processing of sensitive data, CCTV in public places or systemic monitoring of staff may require a DPIA. The purpose of the DPIA is to identify potential risks to the rights and freedoms of people
This isn’t to say that data analytics or CCTV are illegal, it means that businesses have to take steps to prove that processing methods are safe, before using them. DigiTorc take a very pragmatic view of data protection. In our experience DPAIs support good design, built trust and save organisations money. Performing a DPIA is also an excellent opportunity to drive home the need to design with data minimisation and privacy by design in mind. It is good practice to do a DPIA for any major project which requires the processing of personal data.
DigiTorc will work with you to decide if your business processing activities require a DPIA. If a DPIA is required we will
- Identify the data being processed
- Verify the nature, scope, context and purposes of the processing
- Assess necessity, proportionality and compliance measures
- Identify the risks associated with the processing
- Identify solutions/mitigations to the risks
- Document the findings
To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
Data Protection Impact Assessment benefits
DPIAs bring many advantages to business
- Reduce wasteful data processing and storage
- Minimize risks of data breaches to your reputation
- Prevent unlawful or rogue processing
- Implement privacy by design and by default
- Avoid fines, investigations and sanctions
- Build customer trust
Unsure if you require a DPIA? Contact us. and one of our experts will discuss your options without obligations.
- The origin of Data Protection Impact Assessments The use of an assessment methodology to personal understand privacy risks and rights has been known since the mid-1990s . The growing interest in what were then called Privacy Impact Assessments (PIA) was triggered by the exponential growth of data storage and analysis plus the public reaction to the inevitable leaks and scandals. Today DPIAs ...
- Do I have to do a Data Protection Impact Assessment? The law across Europe now says a DPIA is required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (GDPR Article 35(1)). Where the key term is “high risk”. To be clear not all processing requires a DPIA. A DPIA is mandatory for that subset of processing activities which meet the threshold of high risk. Since GDPR ...
- CCTV and Data Privacy: What’s the story? A sensible and well-designed and CCTV system is a powerful tool for deterring criminals and tackling security issues. On the other hand, badly designed systems, cause legal and PR problems while generating a false sense of security. In our experience, privacy and security are not mutually exclusive. We find a pragmatic approach based on the twin ...
- The What, Which, When & Who of DPIAs Data Protection Impact Assessments (DPIAs) are an often misunderstood element of GDPR compliance. Like so much of the GDPR there is little precision in the regulations, but a process must be followed and an artefact must be produced. This DigiTorc article, one of a series of occasional articles, defines: What a DPIA must consist of? Which processing activities require a DPIA? When a DPIA ...