The Data Protection Impact Assessment (DPIA) is a great tool to assist your management of data security impacts in your organisation. It allows you to identify – and then solve – issues early on, so as to avoid costs and reputation damage that might otherwise occur.
The focus is to make your operations as effective as possible so that your GDPR compliance and the privacy of relevant individuals are both correct while not damaging to the new operations of your organisation.
There are some instances when the GDPR requires that a DPIA must be carried out:
- Before any operation likely to result in a high risk. This takes place before you have assessed for risk (which would usually take place once the operation has started) – and involves identifying key factors that point to the potential for a widespread or serious impact to individuals.
- Where you are using systematic and extensive profiling with significant effects
- Where you are processing Special Category or criminal offence data on a large scale
- Where you are systematically monitoring publicly accessible places on a large scale
There are other instances where the ICO requires you to perform DPIA where you plan to:
- use new technologies
- use profiling or Special Category data to decide on access to services
- profile individuals on a large scale
- process biometric data
- process genetic data
- match data or combine datasets from different sources
- collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’)
- track individuals’ location or behaviour
- profile children or target marketing or online services at them
- process data that might endanger the individual’s physical health or safety in the event of a security breach.
The guidance suggests that you may wish to undertake a DPIA for:
- other large scale processing,
- involves profiling or monitoring,
- decides on access to services or opportunities,
- involves sensitive data or vulnerable individuals.
Whether or not you believe there may be a high data security risk, it is a good idea to perform a DPIA for any significant new project where personal data is used.
See also What does a DPIA involve?