As you may be aware, the General Data Protection Regulation (GDPR) comes into force on 25 May 2018. It expands on the existing Data Protection Act and it introduces new requirements and obligations for businesses.
One of the changes is a new obligation to do a Data Protection Impact Assessment (DPIA) before carrying out processing likely to result in high risk to individuals’ rights and freedoms.
What is a DPIA?
Broadly speaking, it's a documenting process to help you identify and minimise the data protection risks of a project.
When should you complete a DPIA?
A DPIA is required for any type of processing which is “likely to result in a high risk”. To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
The Information Commissioner's Office (ICO) offers screening checklists to help you decide when to do a DPIA. It is also good practice to do a DPIA for any major project which requires the processing of personal data.
What should you include in a DPIA? Ideally, you should:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
High risk processing
If you do a DPIA and identify a high risk to individuals' rights and freedoms that you cannot mitigate, you must consult the ICO before starting the processing.
You're on our blog and updates site, which is hosted by elXtr, a law hub powered by the lawyers at Markel Law.
You must do a DPIA for certain listed types of processing, or any other processing that is likely to result in a high risk to individuals’ interests. You can use our screening checklist to help you decide when to do a DPIA.