Sometimes we get in the mode of doing something out of procedure without a true understanding of why it’s important and the true benefit of the process. Such is the case with the DPIA (Data Protection Impact Assessments) which is pivotal to GDPR compliance. In general, conducting a DPIA will improve awareness in your organisation of the data protection risks associated with a project, enhancing interaction with regards to data privacy risks with the relevant stakeholders.
Let’s start with the basics…
What is a DPIA
The DPIA is a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan. When a DPIA is properly done, it assesses and demonstrates how compliant you are to your data protection obligations
DPIAs do not only consider compliance risks but also wider risks to the rights and freedoms of the data subjects which include the possibility of any substantial social or economic disadvantage. The emphasis is on the potential for harm – to individuals or society at large, whether it is physical, material or non-material.
A DPIA effectively done, brings broader compliance, financial and reputational benefits, helping the demonstration of accountability and building trust and engagement with individuals.
Some of the benefits of conducting a DPIA are as follows:
- Certifying and proving that your organisation is compliant with the GDPR thereby avoiding the penalties and sanctions that are attached to non-compliance
- By improving communications about data protection issues it inspires confidence in the public
- Your users are not at risk of having their data protection rights violated
- Enables organisations to embed data protection by design
- By optimising information flows within a project and eliminating unnecessary data collection and processing, it reduces operation costs
Data protection by design means embedding data privacy features and data privacy-enhancing technologies directly into the design of projects at an early stage.
When should you conduct a DPIA?
DPIAs are needed before any type of risky processing is started. To quote Article 35(1) “you must do a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of individuals.”
According to Article 35; some situations are outlined in which a DPIA is mandatory. Such as when processing a large scale of special categories of data, or any personal data relating to criminal convictions. Another situation is when processing is based on automated decision-making including profiling. The last case outlined in Article 35 is when there is systematic monitoring of a publicly accessible area on a large scale
Commonly asked DPIA questions
Q: If we already carry out Privacy Impact Assessments, do we still need to carry out the DPIA?
A: The two processes are similar however a review will need to be on your internal policies, processes and procedures to ensure they meet the key requirements of the DPIA under GDPR. Specific subject matter such as ensuring your screening questions comply with the new requirements.
Q: When is a DPIA not required?
A: A DPIA is generally not required in the following cases:
- Where the processing is not “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)).
- When the nature, scope, context and purposes of the processing are very similar to the processing for which DPIAs have been carried out. In such cases, the results of a DPIA for similar processing can be used (Article 35(1)).
- Where a processing operation has a legal basis in EU or Member State law and has stated that an initial DPIA does not have to be carried out, where the law regulates the specific processing operation and where a DPIA, according to the standards of the GDPR, has already been carried out as part of the establishment of that legal basis (Article 35(10)).
- Where the processing is included on the optional list (established by the supervisory authority) of processing operations for which no DPIA is required (Article 35(5)).
Q: Is a DPIA mandatory for existing processing operations, existing before the GDPR becomes effective on the 25 May 2018?
A: DPIAs are legally mandatory only for processing operations that are initiated after 25 May 2018, when the GDPR became effective. Nevertheless, the Article 29 Working Party strongly recommends carrying out DPIAs for all high-risk operations before this date.