What is a DPIA and do I need to do one?

As part of the GDPR, many new business rules have been introduced to change practices and protect consumer data, such as Data Protection Impact Assessment (DPIA). But what is a DPIA, and do you need to do one? In this blog, we will dive into this topic in further detail and explain when you should do one and some essential steps to remember after completing it. 

So first things first, what is a DPIA?

A Data Protection Impact Assessment (DPIA) is an assessment that can be used by companies to systematically identify and assess the privacy and data protection impacts of any products they offer or services they provide. It enables them to identify the impact and take the appropriate actions to prevent or, at the very least, minimise the risk of those impacts.

DPIA: Why is it important?

Firstly, this is a requirement of GDPR and therefore is not optional for companies where a type of processing is likely to result in a high risk to the rights and freedoms of individuals. 

However, this not only helps you remain compliant, but the DPIA also benefits organizations as it:

  1. Helps to incorporate data protection considerations into processing activities
  2. Demonstrates compliance to a supervisory authority
  3. Allows you to recognize problems within the organization that could have massive consequences if not planned for correctly
  4. Shows partners and contractors that data privacy compliance is a priority for your organization and that you have taken the necessary measures.

When should you do one?

You must carry out a DPIA when the type of processing is likely to result in a high risk to the rights and freedoms of individuals, such as:

  • systematic and extensive evaluation of the personal aspects of an individual
  • processing of sensitive data or data of a highly personal nature on a large scale
  • processing used to make automated decisions about people that could have legal (or similarly significant) effects
  • processing using new technologies
  • systematic monitoring, e.g. tracking the location or behaviour of people
  • data processing at a large scale
  • Matching or combining datasets
  • processing data of vulnerable data subjects
  • Processing that might prevent data subjects from exercising a right or using a service/contract

As you can see from the list above, the activities could threaten people’s freedoms. If your processing activities involve two of the above or pose a high risk to an individual in another way, then a DPIA is required.  

Many EU country’s data protection supervisory authorities have published ”blacklists” of processing activities that would trigger the need to do a DPIA in that country. For the most part, these blacklists align with the scenarios in the previous section. However, if you process a lot of personal data from a particular country, reviewing that country’s blacklist is recommended to ensure compliance.

For example, a DPIA is mandatory where the processing involves profiling vulnerable people such as children to target marketing at such people. Find a complete list of Ireland’s blacklisted processing activities.

The UK has also produced a list of blacklisted processing activities, including targeting children and other vulnerable individuals for marketing. Find a full excerpt from the United Kingdom’s blacklisted processing activities.

What to do after completing a DPIA?

Once you have completed the DPIA, you may think that the work is done, and you can file this information away. However, this isn’t the case. There are several steps to take after completing a DPIA, which depend on the results of the DPIA.  

  • If you find that controls and mitigating measures can be put in place to lower the risk level of the processing, the actions are:
  1. Implement the controls and mitigating measures identified.  
  2. Save the DPIA. This is now a living document that should be revisited and updated when changes are made to the processing activity.  
  • Suppose the DPIA identifies a high risk that cannot be mitigated. In that case, you should consider whether the high-risk processing activity is necessary or if you could accomplish your goal in another way. If you want to continue with the high-risk processing activity, you should consult with your Supervisory Authority.

If you are unsure how to proceed with completing a DPIA or would like to talk to an expert, why not book a call with one of our certified compliance experts today?