Under Article 35(1), Data Controllers will be required to carry out data protection impact assessments (a “DPIA”) if their proposed activities are likely to result in “a high risk for the rights and freedoms of individuals”, in particular, through the use of new technologies and in cases of profiling.
This is an internal policy to be used by a business setting out the principles and legal conditions around the performance of DPIAs in the course of their operations and activities. It is tailored to comply with the GDPR.
DPIAs should be carried out in various instances e.g. when:
- introducing a new IT system that stores or processes PD developing internal policy or strategies that have data privacy implications
- sharing data with other offices or externally
- introducing new reasons to process data
- upgrading existing processes where personal data exists
A DPIA should include:
- a description of the processing, including its purpose and the legitimate interest being pursued;
- the necessity of the processing, its proportionality and the risks that it poses to data subjects;
- measures to address those risks (in other words, the data protection by design and data protection by default controls).
In addition to the DPIA, this communication should include:
- responsibilities of the Data Controllers and Data Processors
- purposes and means of the processing
- measures and safeguards
- contact details of the DPO
A DPIA can be a useful tool for assessing the impact of processing personal data on the rights and freedoms of individuals.
See more on DPIAs here: https://cloudlegalsupport.com/data-protection-impact-assessment/