Data Protection Impact Assessment – DPIA
How prepared are you to take that Risk?
What's The Purpose of a Data Protection Impact Assessment (DPIA) ?
If you store personal data and therefore fall under the requirements of the GDPR, then one of the obligations of an organisation is to determine whether they require undertaking a Data Protection Impact Assessment (DPIA). The requirement to carry out a DPIA applies to existing processing operations likely to result in a high risk to the rights and freedoms of natural persons and for which there has been a change of the risks, taking into account the nature, scope, context and purposes of the processing.
Essentially a DPIA is a risk assessment of the proposed processing of personal data by an organisation and is designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them.
DPIAs are important tools for accountability, as they help organisations not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been undertaken to ensure compliance with the regulation. In other words, a DPIA is a process for building and demonstrating compliance.
Under the GDPR, non-compliance with DPIA requirements can lead to fines imposed by the ICO. Failure to carry out a DPIA when the processing is subject to a DPIA and carrying out a DPIA in an incorrect way and or failing to consult the ICO where required, can result in an administrative fine of up to 10M€, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Whats Involved in The DPIA?
Following enforcement of the GDPR in May 2018, DPIAs are mandatory each time an organisation plans or proposes to introduce a new technology, project, activity or process that is likely to result in a “high risk” to the data protection rights of individuals. Furthermore the ICO has promoted the use of DPIAs as an integral part of taking a privacy-by- design approach. This will also apply when an organisation is planning revisions to existing technology, projects, activities or processes and to operations, which include employee personal data or other forms of personal data.
DPIA’s vary greatly in complexity, dependent mainly on the size of your organisation and the extent, location, visibility and ease of access to the personal data you store. The regulation sets out the following minimum required features:
- A description of the envisaged processing operations and the purposes of the processing – for example, explaining what personal data will be used, who will it be obtained from or disclosed to, who will have access to it;
- An assessment of the necessity and proportionality of the data processing;
- An assessment of the risks to the rights of the individuals affected (for example, financial loss, distress or the risk that inadequate disclosure controls could increase the likelihood of personal data being shared inappropriately); and
- The measures envisaged to address the risks and demonstrate compliance with the GDPR. (Some risks may be able to be eliminated altogether or reduced, however most activities will have some impact on privacy and will require an organisation to accept some level of risk.)
QualityCERT’s experienced data protection consultants can help and advise on all aspects of the Data Protection Impact Assessment (DPIA) process. We can provide expert data protection knowledge and the tools, processes and documentation necessary to significantly reduce the resource overhead required to complete the process. This ensures that the findings and recommendations are the most accurate and appropriate as expected by the supervisory authority, the ICO.
Our Data Protection Impact Assessment (DPIA) is conducted by IAPP Certified Information Privacy Professionals. As well as being highly qualified in General Data Protection Regulations our consultants are fully qualified auditors in other quality standards and business management systems.
We are industry practitioners who specialise in data protection, compliance, risk and governance and we are well versed in helping companies become GDPR and ISO certified.
Our GDPR practitioners cover all the key elements of the regulation to ensure you fully understand the steps and approaches your company needs to become GDPR compliant by focusing on providing practical approaches that can be easily implemented into your organisation.
Additionally our instructors have a wealth of ‘hands on’ industrial and commercial experience in the real world. All in all this ensures that you get the best GDPR compliance service available anywhere in the UK.