GDPR: Data Protection Impact Assessments- what are they and when must an organisation carry them out?
One of the requirements of the General Data Protection Regulation (the GDPR) is to carry out a data protection impact assessment (DPIA) in certain circumstances. When should your organisation do this?
Let’s start with the wording in the GDPR. This says that a data protection impact assessment must be carried out where the type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. Well that’s nice and clear!
Fortunately, there is some non-binding EU guidance which states that, as a rule of thumb, if your organisation’s processing of personal data meets at least two of the following criteria, a DPIA is required:
- Evaluation or scoring, including profiling and predicting
- Automated decision-making
- Systematic monitoring
- Involves sensitive data
- Carried out on a large scale
- Matching or combining datasets
- Relates to vulnerable data subjects
- Applies the innovative use or application of technological or organisational solutions
- Involves data transfers across borders outside the European Union
- When the processing prevents data subjects from exercising a right or using a service or a contract.
Hopefully the above will give organisations some more constructive guidance but, for each of the criteria, an organisation is likely to require a more detailed investigation as to whether its processing activities are caught or not.
How should your organisation carry out a DPIA? The GDPR does specify some minimum standards for a DPIA which are set out below in a summary form:
- A description of the processing and the purposes of the processing, including, where applicable, the legitimate interests pursued by the controller
- An assessment of the necessity and proportionality of the processing in relation to the purpose
- An assessment of the risks to individuals
- The measures in place to address the risks, including security and to demonstrate compliance
As both the requirement and how to carry out a DPIA are new, we would recommend that your organisation speaks to us first to ensure that it is acting in compliance with the GDPR.
By Simon Bates