The Information Commissioner's Office (ICO) has updated its guidance on data protection impact assessments (DPIA).
What is a DPIA?
DPIA's are a tool to help organisations identify and minimise the data protection risks of new projects. The GDPR includes an obligation for organisations to do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing and the ICO has issued screening checklists to help you decide when to do a DPIA.
The updated guidance also includes examples of processing that is likely to result in high risk.
It's important to get it right, as a failure to carry out a DPIA when required can lead to enforcement action, including a fine of up to €10 million, or up to 2% global annual turnover if higher.
At Markel Law we regularly comment on SME related matters.
Follow this link to find out more about Markel Law and how we can assist your business.
Yes, the GDPR includes a new obligation to conduct a DPIA for types of processing likely to result in a high risk to individuals’ interests. This is part of the new focus on accountability and being able to demonstrate that you comply with the GDPR. It is a key element of data protection by design and by default, and also reflects the more risk-based approach to data protection obligations taken throughout the GDPR.