Data Protection Impact Assessments
What is a DPIA?
A Data Protection Impact Assessment (DPIA) is a process by which you determine the impact your processing will have on the data subject. For example, you propose a new payroll system for your employees that will use employee fingetprints to allow access to the system. A DPIA should be conducted to determine if there are risks associated with this new system, if the benefits of the new system outweigh the risks associated and how you will mitigate any risks that have been identified.
This is a integral step in proactively assessing data protection in your business – a critical item for compliance with the GDPR. In some instances, a DPIA is required according to the GDPR but in many instances, it is sound practice.
Why do we need to conduct a DPIA?
Article 35(1) of the GDPR says that you must conduct a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of individuals. This is particularly important when new technology is being introduced. The DPIA will assist your organisation in determining whether there is indeed a high risk to the rights and freedoms and if so, how to mitigate those risks. In cases where it is not clear whether a DPIA is strictly mandatory, carrying out a DPIA is still good practice and a useful tool to help data controllers comply with data protection law.
I am a small business, must I conduct a DPIA?
While the law discusses large-scale processing of personal data, there are other factors to consider. Article 35(3) lists three examples of types of processing that automatically requires a DPIA which may or may not apply to your business:
- Systematic and extensive profiling with significant effects
- Large scale use of sensitive data:
- Public monitoring
However, the Article 29 working party of EU data protection authorities (WP29) published guidelines with nine criteria which may act as indicators of likely high risk processing:
- Evaluation or scoring.
- Automated decision-making with legal or similar significant effect.
- Systematic monitoring.
- Sensitive data or data of a highly personal nature.
- Data processed on a large scale.
- Matching or combining datasets.
- Data concerning vulnerable data subjects.
- Innovative use or applying new technological or organisational solutions.
- Preventing data subjects from exercising a right or using a service or contract.
Many times, if two or more of these processes is performed, it is strongly recommended that you perform a DPIA – but this is not a hard and fast rule.
We are of the mindset that identifying personal data and processing of that data is always a useful exercise and critical to your compliance with the GDPR. Determining the level of risk that processing incurs, documenting the mitigation of those risks, or documenting why you believe you don’t need to mitigate those risks demonstrates to both your data subjects and to the Data Commissioner that you take Data Protection seriously.