GDPR: Data Privacy Impact Assessments (DPIA)

By July 23, 2017Blog, gdpr
privacy

The GDPR is just around the corner and is starting to open the eyes of many businesses, albeit too late in some cases.  In fact as of writing “29% of UK businesses have not started preparing for GDPR”, time is running out and there’s lot of things to look into and implement before the deadline of 25th May 2018.

One of the requirements that’s coming into effect is the use of Data Privacy Impact Assessments (DPIA).

What is a Data Privacy Impact Assessment?

The Data Privacy Impact Assessment, from next year will become a mandatory assessment for any business that processes data.  Currently called Privacy Impact Assessments, the ICO currently states that the PIA: “are an integral part of taking a privacy by design approach. Our code of practice explains the principles which form the basis for a PIA.”

Will I need one?

The DPIA are there to help businesses who process personal data to ensure that they are doing everything they can to ensure the safety and freedom of the individuals.  The DPIA will need to be carried out before or during a project that will involve the processing of any personal data.

The DPIA are there to help the business avoid the potential of fines and data breaches, by allowing the individual to be able to edit, manage and request their data be deleted from all business systems, in a reasonable amount of time.

If you haven’t performed a Privacy Impact Assessment or a Data Privacy Impact Assessment before, it is recommended that you go through your business, see what personal data you are holding and ensure you are doing everything right.

If, in the unfortunate event that there is a data breach, a DPIA must be followed through to ensure the safety of the individuals and reduce the overall risk moving forward.

If your business performs any of the following projects/actions you are likely required to undertake a DPIA.

  • A new IT system for the storing and processing of personal data
  • The introduction of a new application which will access personal information
  • If data is to be shared between companies (even if they are part of the same group)
  • Implementing a new database which consolidates information help by other parts of the business
  • Identifying people in a group or demographic with aims of initiate a course of action
  • Processing of sensitive personal data
  • Using existing personal data for more intrusive purposes
  • Using surveillance systems which will be able to identify people personally
  • Collection of personal information which will impact their privacy

How are they carried out?

The DPIA can be carried out in several ways, using spreadsheets, documents or automated forms.  But they all have the same sort of steps.  These being:

  • Identify the need
  • Investigate and describe the information flow
  • Identify the privacy risks
  • Identify and evaluate the privacy solutions
  • Sign off and record the DPIA outcomes
  • Integrate the outcomes into a project plan
  • Consult with stakeholders of the business

Are they legally required?

Yes, they are, as described above, if your business processes any personal information which could potentially risk the identification of any individual then you must complete a DPIA.

What are the benefits of doing a DPIA?

You’re probably thinking, are there are any benefits to doing a DPIA? Apart from helping the business reduce the risk of a data breach and ensuring data compliance, the benefits are:

Example DPIA

If your still thinking, how you go about creating a DPIA, we have an example one for you here: Example DPIA

Hope this has been informative and helps you on your way to ensure your all complaint with GDPR in the near future.