Data Protection Impact Assessment
Data Protection Impact Assessment - What is it? How to complete one?
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
The main objective of the DPIA process is to help identify and minimise the data protection risks of a project. Conducting a DPIA for necessary projects is now mandated, as they are an integral part of taking privacy by design approach.
A DPIA assessment is conducted for a project that involves processing of personal data. Be it a major project which includes high risk or minor projects this assessment is mandated. Ideally a DPIA should be conducted before and during the planning stages of a particular project.
A DPIA should
Describe the nature, scope, context and purposes of the processing
Assess necessity, proportionality and compliance measures
Identify and assess risks to individuals
Identify any additional measures to mitigate those risks
DPIA applies if
If you’re using new technologies (artificial intelligence, blockchain e.t.c.,)
If you’re tracking people’s location or online behaviour
If you’re systematically monitoring a publicly accessible place on a large scale (use of CCTVs and other monitoring systems)
If you’re processing personal data related to “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”
If your data processing is used to make automated decisions about people that could have legal (or similarly significant) effects
If you’re processing children’s data (under age 18)