Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks

How to do a DPIA?

by Adam Brogden
in Blog

31-Jan-2019 15:49

DPIAs (Data Protection Impact Assessments) are pretty complicated but try not to get bogged down and concentrate on assessing the risk to data subjects rather than producing huge technical design documents. A DPIA is a way for you to systematically and comprehensively analyse your processing and help you identify and minimise data protection risks. DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to individuals or to society at large, whether it is physical, material or non-material.

To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. A DPIA does not have to indicate that all risks have been eradicated. But it should help you document them and assess whether or not any remaining risks are justified.

DPIAs are a legal requirement for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals.

A DPIA may cover a single processing operation or a group of similar processing operations. A group of controllers can do a joint DPIA.

It’s important to embed DPIAs into your organisational processes and ensure the outcome can influence your plans. A DPIA is not a one-off exercise. You should see it as an ongoing process that is subject to regular review.

In summary:

Your DPIA should include that:

  • You describe the nature, scope, context and purposes of the processing.

  • You ask your data processors to help you understand and document their processing activities and identify any associated risks.

  • You consider how best to consult individuals (or their representatives) and other relevant stakeholders.

  • You ask for the advice of your data protection officer.

  • You check that the processing is necessary for and proportionate to your purposes, and describe how you will ensure compliance with data protection principles.

  • You do an objective assessment of the likelihood and severity of any risks to individuals’ rights and interests.

  • You identify measures you can put in place to eliminate or reduce high risks.

  • You record our decision-making in the outcome of the DPIA, including any difference of opinion with your DPO or individuals consulted.

  • You implement the measures you identified, and integrate them into your project plan.

  • You consult the ICO before processing, if you cannot mitigate high risks.

  • You keep your DPIAs under review and revisit them when necessary.

A good DPIA helps you to evidence that:

  • You have considered the risks related to your intended processing

  • You have met your broader data protection obligations.

This checklist will help ensure you have written a good DPIA.

You should have:

  • Confirmed whether the DPIA is a review of pre-GDPR processing or covers intended processing, including timelines in either case

  • Explained why we needed a DPIA, detailing the types of intended processing that made it a requirement

  • Structured the document clearly, systematically and logically

  • Written the DPIA in plain English, with a non-specialist audience in mind, explaining any technical terms and acronyms we have used

  • Set out clearly the relationships between controllers, processors, data subjects and systems, using both text and data-flow diagrams where appropriate

  • Ensured that the specifics of any flows of personal data between people, systems, organisations and countries have been clearly explained and presented

  • Explicitly stated how we are complying with each of the Data Protection Principles under GDPR and clearly explained our lawful basis for processing (and special category conditions if relevant)

  • Explained how we plan to support the relevant information rights of our data subjects

  • Identified all relevant risks to individuals’ rights and freedoms, assessed their likelihood and severity, and detailed all relevant mitigations

  • Explained sufficiently how any proposed mitigation reduces the identified risk in question

  • Evidenced our consideration of any less risky alternatives to achieving the same purposes of the processing, and why we didn’t choose them

  • Given details of stakeholder consultation (e.g. data subjects, representative bodies) and included summaries of findings

  • Attached any relevant additional documents we reference in our DPIA, e.g. Privacy Notices, consent documents

  • Recorded the advice and recommendations of our DPO (where relevant) and ensured the DPIA is signed off by the appropriate people

  • Agreed and documented a schedule for reviewing the DPIA regularly or when we change the nature, scope, context or purposes of the processing

  • Consulted the ICO if there are residual high risks we cannot mitigate

There is a very useful template on the ICO website that will help. Click this link to take a look.

Good luck all.