The principle is –
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
The main objective of the DPIA process is to help identify and minimise the data protection risks of a project. Conducting a DPIA for necessary projects is now mandated, as they are an integral part of taking privacy by design approach.
A DPIA assessment is conducted for a project that involves processing of personal data. Be it a major project which includes high risk or minor projects this assessment is mandated. Ideally a DPIA should be conducted before and during the planning stages of a particular project.
A DPIA should be conducted as early as possible within any new project life. It will be easier for any company to incorporate any findings and recommendations into the design of the processing operation before it’s too late. A DPIA is only mandatory where data processing is likely to result in a high amount of risk. This is where a GDPR helps where it explicitly mentions a few conditions that explains when a DPIA is necessary.
Once you confirm the DPIA is mandatory, the next step is describing the information flow. For instance, it is necessary to provide details on how the information within the processing operation is collected, stored, used and disposed.
If there is a high risk that you identify and cannot mitigate, in this case UK’s ICO (Information Commissioner’s Office) should be consulted before you start the process.
Within 8-14 weeks the ICO will give written advice for complex cases that are identified, based on this we can either proceed with processing the data or issue a formal warning not to process it or ban the process altogether.