Data protection impact assessments (DPIAs) are a tool used to help businesses identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. In carrying out a DPIA, a business will conduct an audit to identify the personal data that it processes, what it does with that data and whether its processing activities present a high risk to the rights and freedoms of individuals. An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.
A business must carry out a DPIA when:
(i) using new technologies; and
(ii) the processing is likely to result in a high risk to the rights and freedoms of individuals.
Processing that is likely to result in a high risk includes (but is not limited to):
(i) systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals.
(ii) large scale processing of special categories of data or personal data relation to criminal convictions or offences. This includes processing a considerable amount of personal data at regional, national or supranational level; that affects a large number of individuals; and involves a high risk to rights and freedoms eg based on the sensitivity of the processing activity.
(iii) large scale, systematic monitoring of public areas (CCTV).
The obligation to carry out a DPIA exists under the Data Protection Act 1998 and is not limited to GDPR. Businesses should carry out a DPIA when required above and should not wait for the implementation of GDPR. That said, all businesses that have not carried out a DPIA when they should have done so, should carry out a DPIA prior to May 2018 to ensure that they can demonstrate compliance with GDPR and the wider data protection regime.
A DPIA should contain the following information:
(i) a description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the controller.
(ii) an assessment of the necessity and proportionality of the processing in relation to the purpose.
(iii) an assessment of the risks to individuals.
(iv) the measures in place to address risk, including security and to demonstrate that you comply.
(v) a summary of the data collected, the sources of such data and how it is processed.
A DPIA will usually be backed up by use of an electronic software solution to record and monitor data sources, the relevant processing conditions and to ensure compliance with the various obligations of data controllers and processors under the DPA 1998 and GDPR.