Countdown to GDPR: Defining Data Protection Impact Assessments
Long before the GDPR, the ICO was championing the Data Protection Impact Assessment. Now, thanks to the GDPR what was once good practice will become law.
A Data Protection Impact Assessment (DPIAs) is a tool which will help businesses to identify, assess and correct any privacy risks within their data processing practices before data can be compromised.
When would you need to do a DPIA?
The biggest trigger for a Data Protection Impact Assessment is if your processing is "likely to result in a high risk to the rights and freedoms of natural persons (EU citizens)."
Not sure if your processing counts? The EU Article 29 Working Party's draft guidelines have given you the 10 following criteria to consider:
- Evaluation or scoring. This includes, profiling and predicting. Especially from, "aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements".
- Automated-decision making with legal or similarly significant effect. This is any processing intended to make decisions about individuals which produces,"legal effects concerning the natural person" or which, "similarly significantly affects the natural person". Any processing with little or no effect on individuals does not match this criteria.
- Systematic monitoring. Processing used to observe, monitor or control data subjects. This includes data collected through, "a systematic monitoring of a publicly accessible area."
- Sensitive data. Including special categories of data as well as personal data relating to criminal convictions or offences.
- Data processed on a large scale.
- Data sets that have been matched or combined. Coming from two or more data processing operations performed for different purposes or by different data controllers.
- Data concerning vulnerable data subjects. The power imbalance means the individual may be unable to consent to, or oppose, the processing.
- Innovative use or applying of technological or organisational solutions. New forms of technology can involve novel forms of data collection and usage, posing a significant risk to individuals' rights and freedoms.
- Data transfer across borders outside the European Union.
- When the processing "prevents data subjects from exercising a right or using a service or a contract." This criteria includes processing that aims at allowing, modifying or refusing individuals access to a service or entry into a contract.
As a rule of thumb, if your processing activities involve just two of the above criteria a DPIA is advisable. But, if you believe your processing is unlikely to be high risk you must detail your reasons for not carrying one out.
So, exactly how do I carry out a DPIA?
You should do a DPIA as early in the design of the processing operation as possible. That is, before any processing starts, even if some processing operations are still unknown. Then, you should update the DPIA throughout the life of the project.
The minimum features your DPIA should include are:
- A description of the processing operations and purposes.
- An assessment of the necessity and proportionality of the processing.
- An assessment of the risks to the rights of the individual.
- Measures designed to mitigate risks and demonstrate compliance.
Correctly used, DPIAs will help Data Controllers ensure they comply with the GDPR. Most importantly, DPIAs will reduce any risks of data being compromised.
Maybe you just need an expert to translate. If so, get in touch with the experts at Mackman today. Email us at email@example.com or give us a call on 01787 388038