The DPIA must cover the following:
- a description of the nature, scope, context and purposes of the processing
- as applicable, the legitimate interests pursued by your business
- an assessment of the necessity and proportionality of the processing in relation to the purpose
- an objective assessment of the risks to individuals, which considers both the likelihood and severity of the possible harm
- what controls you have identified to address any of those risks, and whether those risks are eliminated, reduced or accepted as a result (including security).
- If your resultant DPIA identifies a high risk and there are no mitigating measures that can be taken, you cannot go ahead without first consulting the ICO.
- Conversely, if the residual risk (once mitigation of risks has taken place) is no longer high, then the ICO do not need to be consulted.
You will need a DPIA framework tying together the existing risk management and project management procedures with the specifics required for data impact management.
To remove repetitive work, any one DPIA may cover a range of multiple process operations that are similar in terms of risk where appropriate consideration is given to the specific nature, scope, context and purposes of the processing.
You will need to allocate appropriate staff members to undertake each DPIA:
- Who will lead on it?
- Who else needs to be involved?
- Will the process be run centrally or locally?
Where 3rd party data processers are used, their organisations will have to be involved in the DPIA assessment. It may even be relevant to seek views of data subjects (individuals whose data is to be held) where such input is valuable to the discernment of the impact risk.
See also When is a DPIA necessary?