Data Protection Impact Assessments (DPIA's) can be used to identify and mitigate against any data protection related risks arising from a new project
which may affect your organisation or the individuals it engages with.
When your organisation collects, stores or uses personal data, the individuals whose data you are processing are exposed to risks.
These risks range from personal data being stolen or inadvertently released and used by criminals to impersonate the individual, to worry being caused to individuals that their data will be used by your organisation for unknown purposes.
A Data Protection Impact Assessment (DPIA) describes a process designed to identify risks arising out of the processing of personal data and to mitigate these risks as far and as early as possible.
DPIAs are important tools for negating risk, and for demonstrating compliance with the GDPR. After 25th May 2018, DPIA's become mandatory where data processing “is likely to result in a high risk to the rights and freedoms of natural persons.” This is particularly relevant when a new data processing technology is being introduced.
In cases where it is not clear whether a DPIA is strictly mandatory, carrying out a DPIA is still good practice and a useful tool to help data controllers comply with data protection law.
The GDPR provides some non-exhaustive examples of when data processing is “likely to result in high risks”:
XpertDPO can work with your organisation to produce a detailed DPIA for your processing operations.