With the implementation of GDPR just a week away, most companies have taken steps to ensure they are on the right track to becoming GDPR compliant. Some may have started on this journey later than others and are unsure about which aspects of the regulation will apply to their business.
There has been some confusion surrounding data protection impact assessments (DPIA) and many organisations are unsure if this needs to be something they undertake.
Data Protection Impact Assessments can be used to identify and reduce any data protection risks that arise from a new project, which may in turn affect your organisation or the individuals it engages with.
Projects could include a business acquisition, a new service, or a marketing campaign aimed at targeting potential prospects.
When your business collects, stores or uses personal data, the individuals whose data you are processing are exposed to a number of risks. These risks can range from the theft of personal data, misuse of data by criminals, and the worry from individuals that their data may be used by your business for unknown purposes.
A Data Protection Impact Assessment (DPIA) is a structured approach, designed to identify the risks associated with the processing of personal data and to help minimise these risks as quickly as possible. This in turn reduces the associated costs and damage to reputation that might accompany a data breach whilst demonstrating compliance with the GDPR.
Every company that does businesses with EU citizens must decide whether their organisation needs to have a DPIA. Under the GDPR, a DPIA is mandatory where data processing “is likely to result in a high risk to the rights and freedoms of natural persons.”
A DPIA will be required if your organisation:
• Uses new technologies
• Uses profiling or special category data to decide on access to services
• Profiles individuals on a large scale
• Processes biometric data
• Processes genetic data
• Matches data or combines datasets from different sources
• Collects personal data from a source other than the individual without providing them with a privacy notice
• Tracks an individual’s location or behaviour
• Profiles children or targets services at them
• Processes data that might endanger the individual’s physical health or safety in the event of a security breach
The Data Controller within an organisation will be responsible for ensuring the DPIA is carried out. It may be delegated to someone else within the organisation, but the Data Controller will ultimately be held accountable.
Conducting a DPIA will improve awareness levels and ensure that all members of an organisation and stakeholders are informed about the data privacy risks.
DISCLAIMER: The content and opinions within this blog are for information purposes only. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances, the Data Protection Act, or any other current or future legislation. Cyber Radio shall accept no responsibility for any errors, omissions or misleading statements, or for any loss which may arise from reliance on materials contained within this blog.