When do I have to carry out a Data Protection Impact Assessment?
Whether you are already GDPR compliant or on the journey to becoming compliant you need to familiarise yourself with data protection impact assessments (DPIA) and ensure that you carry one out for all the data you process and the different tasks your business carries out. But what is a DPIA and how do you go about completing one?
What is a data protection impact assessment?
A Data Protection Impact Assessment (DPIA) or also known as a Privacy Impact Assessment (PIA) is a tool for identifying how your work might impact on people whose data you’re using. From the perspective of the General Data Protection Regulation (GDPR), your primary concern is:
What will be the privacy impacts of this work? and
How will I ensure privacy is maintained?
Carrying out a DPIA is a straightforward process but you need to think about the types of information you’re using and what could happen if you lost control of them.
A good DPIA will help you sort out the sensitive data that you must protect carefully from day-to-day contact information that is less of a worry.
When might I need a DPIA?
A DPIA is the first thing you should do when starting a new project, to make sure you give privacy considerations a high priority.
A new project might require you to handle new personal information, for example, one Astrid client wanted to start working with social media influencers but needed to gather information on them. The DPIA helps the organisation to understand what kinds of information are involved and what the impacts of mishandling that information might be. In this example, the aim was only to use information that influencers had already put onto social media – so the impacts of publishing or losing the information are really quite low.
Do I need to do a DPIA for personal data I’m already processing?
If you don’t have a data protection impact assessment in place for work you’re already doing, then we recommend you start on one right away. Without a DPIA, you can’t be sure you’re in control of the personal data your business uses. The DPIA will identify the biggest potential problems so you can focus on managing those risks first.
We recommend that you look out for areas where you process data that’s either ‘special category’ or could put people at risk of financial or reputational loss. Special category data is sensitive personal data such as racial origin and religious beliefs - it is prohibited to process this data unless particular grounds for processing it is met. Businesses such as legal and financial services, professional healthcare and wellbeing services face particular risks as losing sensitive client information could have significant impacts on client’s lives. Performing a DPIA as quickly as possible will highlight these risks and help you manage them.
How do I complete a data protection impact assessment?
Whatever your business, Astrid has simple tools and guidance you can use to get a DPIA in place and tackle any issues you identify. By completing tasks 2, 3 and 5 in the first stage of our process, you have performed a comprehensive DPIA. Astrid also has all the guidance you need to review DPIAs and make sure they’re up to date. Register for Astrid today.
You can find out more about data protection impact assessments on the ICO website but we think the ICO’s guidance is too complicated for small businesses which is why Astrid simplifies it!
Protect your business - become and remain GDPR compliant with Astrid