We are getting ever-closer to the introduction of GDPR legislation and whilst we are busy getting up to speed, there is an additional process to think about. Data Protection Impact Assessment (DPIA) is a specific process associated with GDPR that helps organisations to identify and mitigate risks in data processing activities – but what does this mean for businesses?
When GPDR comes into effect on 25 May 2018, organisations will be expected to carry out DPIAs where data processing is likely to result in a high risk to the rights of individuals whose data you collect or process. This derives from “Article 35” of the GDPR legislation and it outlines situations where it is mandatory, for example, when implementing new data processing technology, or when handling personal data that relates to criminal convictions.
There are six key stages of DPIA:
- Determining risk – what are the inherent risks of the processing operation.
- How is information used – detailing the flow of information within the processing operation, including collection, storage, usage and when it is deleted.
- Any related risks – as well as the processing of data itself, there could also be associated threats to the rights of individuals whose data you collect or process.
- Identify a solution – a plan for each identified risk must be considered, e.g. whether to accept or reject the risk, whether to transfer it or take steps to reduce the impact.
- Record outcomes – after these DPIA steps have been implemented they should be recorded. They should then either be signed off by whoever is responsible for those decisions, or, where a high risk has been identified, the organisation must submit the DPIA to the regulatory authority for consultation.
- Integrate outcomes – you will need to continually refer to the DPIA in order to ensure that it is being followed and that its responses to the risks have been implemented effectively.”
A DPIA helps organisations to find and fix problems at the early stages of any project, reducing the associated costs and damage to reputation that might otherwise accompany a data breach.
The ICO has outlined further guidelines which can be accessed here. For more information, you can also contact Wilkins Kennedy, where our experts can advise on a number of issues relating to GDPR and the running of your business.