Data Protection Impact Assessments

Data Protection Impact Assessments (DPIA's) can be used to identify and mitigate against any data protection related risks arising from a new project
which may affect your organisation or the individuals it engages with.

Data Protection Impact Assessments

When your organisation collects, stores or uses personal data, the individuals whose data you are processing are exposed to risks.

These risks range from personal data being stolen or inadvertently released and used by criminals to impersonate the individual, to worry being caused to individuals that their data will be used by your organisation for unknown purposes.

A Data Protection Impact Assessment (DPIA) describes a process designed to identify risks arising out of the processing of personal data and to mitigate these risks as far and as early as possible.

DPIAs are important tools for negating risk, and for demonstrating compliance with the GDPR. After 25th May 2018, DPIA's become mandatory where data processing “is likely to result in a high risk to the rights and freedoms of natural persons.” This is particularly relevant when a new data processing technology is being introduced.

In cases where it is not clear whether a DPIA is strictly mandatory, carrying out a DPIA is still good practice and a useful tool to help data controllers comply with data protection law.

The GDPR provides some non-exhaustive examples of when data processing is “likely to result in high risks”:

  • “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person”
  • “processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10”
  • “a systematic monitoring of a publicly accessible area on a large scale”

XpertDPO can work with your organisation to produce a detailed DPIA for your processing operations.