Countdown to GDPR #7: Data Protection Impact Assessment
We’ve made it to #7 in our 10-part GDPR blog series. In this blog post, we tackle Data Protection Impact Assessment (DPIA) and what it may mean for your organization.
The Chapter Explained
GDPR’s Article 35 is all about the DPIA.
Here’s a quick summary:
- GDPR mandates a DPIA for high-risk, data-sensitive projects, “where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
- The Data Protection Office (DPO) is responsible for overseeing the DPIA – “The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.”
How do I Achieve Compliance?
Compliance will vary for each company. Two aspects of the DPIA, however, are pretty clear: assess high-risk projects with new applications of technology and consult your DPO.
Pointers to get started:
- Determine if your organization/project processes data that is likely to result in a high risk to the rights and freedoms of natural persons.
- In particular, the DPIA is required if the project involves:
- Profiling Processing.
- Systematic monitoring of a publicly accessible area on a large scale.
- Automated processing, including profiling, on which decisions are based that could have legal implications.
- The DPIA is your friend — it helps you to identify and mitigate data protection risks and make informed decisions about the possible outcomes. Crucially, a well-constructed DPIA will allow you to communicate effectively with your customers and demonstrate compliance with the GDPR to offset legal risks.
- Constructing a thorough DPIA will require the collaboration of key stakeholders in IT, information security and privacy, with the legal team.
What are your concerns about the GDPR? Tweet me @scarabeetle using #CountdowntoGDPR, or add a comment below.
Stay tuned for my next blog on what SaaS providers are doing to prepare for 25 May 2018.
Read the entire Countdown to GDPR series to date:
Part 1: Right to Be Forgotten
Part 2: Privacy by Design and by Default
Part 3: Designating Data a Protection Officer (DPO)
Part 4: Customer Communication and Experience
Part 5: Data Security and Privacy Policies
Part 6: Data Transfers