Since May 2018, GDPR has increasingly been whispered in strategic meetings and office corridors as organisations move swiftly to ensure they are compliant with the General Data Protection Regulation (GDPR).
So, what are Data Protection Impact Assessments (DPIA)?
Also known as privacy impact assessment or PIA, they are essentially risk assessments detailing how organisations will process the personal data they hold. They have been designed as an early warnings process for potential threats to operations.
The information Commissioner’s Office has long championed the process as a key part of their privacy by design strategy. Furthermore, whilst DPIA’s are not a new concept the introduction of GDPR will place greater significance on their use.
Why all the fuss if they’re old news?
When the GDPR comes in to affect DPIA’s will be a mandatory requirement in certain circumstances.
When do I need to conduct a DPIA?
You must carry out a DPIA when:
- using new technologies; and
- the processing is likely to result in a high risk to the rights and freedoms of individuals.
- Processing that is likely to result in a high risk includes (but is not limited to):
- systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals.
- large scale processing of special categories of data or personal data relation to criminal convictions or offences.This includes processing a considerable amount of personal data at regional, national or supranational level; that affects a large number of individuals; and involves a high risk to rights and freedoms e.g based on the sensitivity of the processing activity.
- large scale, systematic monitoring of public areas (CCTV).
What information should the DPIA contain?
- A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the controller.
- An assessment of the necessity and proportionality of the processing in relation to the purpose.
- An assessment of the risks to individuals.
- The measures in place to address risk, including security and to demonstrate that you comply.
- A DPIA can address more than one project.
See the ICO’s conducting privacy impact assessments code of practice for good practice advice.
Source (Information Commissioners Office)
How can we help?
We are running a number of practical training courses; ‘Effective Data Protection Impact Assessments’, taking place in several locations across the UK. These courses are designed to put you and your organisation in a better position to identify and prevent potential data breaches, reduce the risk of fines and damage to reputation which might otherwise occur.
Meet our chair:
Lynn Wyeth – Information Governance Manager for Leicester City Council
With over 10 years’ experience as a practitioner, Lynn holds a postgraduate diploma in Information Rights and the Certificate in Security Management Principles, as well as being an accredited HSCIPP privacy practitioner.
With previous experience working as an MP and MEP’s political assistant, Lynn moved to her local council where she now oversees the Council’s Information Governance agenda, including data protection, freedom of information, information sharing, RIPA and CCTV.
Lynn is also the author of two books, A Practical Guide to Handling Freedom of Information Requests and Data Protection: Compliance in Practice. Along with helping health organisations with their information governance procedures, Lynn’s vast experience makes her the ideal chair for our Effective Data Protection Impact Assessments workshops. There she will discuss how organisations can better position themselves to identify and prevent potential data breaches, reduce the risk of fines and damage to reputation which might otherwise occur.
Now over to you..
Do you know about DPIA? Do you have any tips that would benefit others in the run up to the GDPR? Are there any other crucial aspects that you would like to share? Tweet us using #UMGTraining @UModernGov, we always love to hear from you.
Do you have a team of staff at your organisation who would benefit from Data Protection Impact Assessments training? We also offer this course as a highly flexible In-House training session, delivered direct to your organisation on a date to suit you. Contact our In-House Training team on firstname.lastname@example.org to find out more.