A data protection impact assessment (DPIA), also known as a ‘privacy impact assessment, has two main values, to help with:
- incorporating data protection considerations into organisational planning; and.
- demonstrating compliance to supervisory authorities.
The DPO is tasked to ‘provide advice where requested as regards the DPIA and monitor its performance’ (Article 39(1)(c)).
When is a DPIA required? (Article 35(1)).
A DPIA is required if the processing is ‘likely to entail a high risk to the rights and freedoms of natural persons’. In determining if a DPIA is required, the nature, scope, context, purpose, type of processing and use of new technologies should be considered.
Examples of processing that will require a DPIA include:
- Conducting ‘a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling; and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person’;
- Conducting ‘processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences’;
- Conducting ‘a systematic monitoring of a publicly accessible area on a large scale’.
What should a DP/A include?
A DPIA should include:
- A description of the processing, including its purpose and the legitimate interest being pursued;
- The necessity of the processing, its proportionality and the risks that it poses to data subjects;
- Measures to address those risks (in other words, the data protection by design and data protection by default controls);
When must the supervisory authority be contacted?
Consultation with the supervisory authority is required prior to processing when the DPIA indicates a high risk to data subjects that are not mitigated. In addition to the DPIA, this communication should include:
- Responsibilities of the controllers and processors Purposes and means of the processing
Measures and safeguards;
- Contact details of the DPO;
If the supervisory authority thinks the processing will not be compliant with the GDPR or the controller has not sufficiently mitigated the risks, the supervisory authority will provide advice to the controller and can block processing activities within eight weeks (or six additional weeks in complex situations).
In summary, a DPIA can be a useful tool for assessing the impact of processing personal data on the rights and freedoms of individuals.
CloudLegal can provide you with further advice if you need it!
Tel: 0800 6894168