GDPR in focus: When should I undertake a Data Privacy Impact Assessment?
The GDPR are effectively about putting a security blanket around personal data.
So, in line with adhering to the regulations, the concept of ‘Privacy by Design’ is entirely based on systems being created, maintained and enhanced to ensure that privacy and security are upheld.
Acting as a review of systems already in place and a consideration of the impacts of new or changes to systems, the Data Privacy Impact Assessment enables a business to assess the risk level of its processes relative to the security of personal data. As well as considering the privacy of this information, understanding the impact that data loss can have on an individual is a crucial step in working out what preventative actions should be taken.
But, it can be difficult to calculate when is the best time to undertake a DPIA.
If an organisation is processing personal data but has never undertaken a DPIA, then this should be done as soon as possible. Running an assessment means that further decisions about data processing can be made based on fact rather than assumption. From this point onwards, a DPIA should then be carried out for any new or amended process that involves personal data.
The outcome of a DPIA should provide a clear definition of:
- Each process and operation
- A risk analysis relating to the ‘freedoms and rights of individuals’ (e.g. what damage could occur to an individual in the event of a personal data breach)
- The needs, proportionality and legal basis for requiring the data
- Any counter measures or activities necessary to tackle the identified risks
- What compliance processes are in place
- The degree to which individuals have or can be informed of the above aspects.
A successful DPIA should provide a coherent written account of the activities outlined above. This documentation is vital, as it would be the first thing a supervisory authority – the Information Commissioners Office (ICO) for the UK – would ask to see in the event of either a breach or a complaint from a data subject.
Need more support? We provide these assessments! Find out more here, or call us for a chat about how a DPIA could benefit your business.