DPIA – Data Protection Impact Assessments

What is a DPIA?

Under GDPR, Data Protection Impact Assessments (DPIA) will become an important (and mandatory) way of identifying, assessing and mitigating or minimising privacy risks with data processing activities. This could be particularly relevant when a new data processing process, system or technology is being introduced.

DPIAs also support the accountability principle. In other words, they help organisations to comply with the requirements of GDPR and demonstrate that appropriate measures have been taken to ensure compliance. Under the GDPR, Data Controllers must conduct DPIAs where privacy breach risks are high so that the risks to data subjects are minimised. This means that to minimise risks to data, subjects DPIAs will be needed.

The importance of the use of DPIAs in building compliance is underlined by the potential penalties of failing to do so. If companies / organisations fail to adequately conduct a DPIA where it is deemed to have been appropriate, this could result in fines of up to 2% of an organisation’s annual global turnover or €10 million, whichever is greater.

Appoint a Data Protection Officer (DPO)

If you are a public authority processing personal information, or if your main activity involves the regular and systematic monitoring of data subjects on a large scale, or if your main work involves the processing on a large scale of special categories of data you will need to appoint a Data Protection Officer (DPO).

This person will need to be very familiar with all aspects compliance with existing (and new) UK and the new EU regulations. This could therefore have an impact on staffing and resources (for training). Your company / organisation as the ‘Data Controller’ will, therefore, need to make sure that your DPO is trained and certified. This will help with the company / organisations’ compliance, as well ensuring that correct practice is used by the DPO.

What Will the DPO Do?

The DPO’s role will include:

Getting involved with all matters relating to the protection of data e.g. in the company and through relationships with 3rd parties.

Consulting with Data Controllers on DPIAs (explained in the previous section), and providing instruction to Data Controllers on their obligations under GDPR.

Monitoring compliance of the Data Controller’s policies with GDPR, the DPB, and any other relevant laws.

Dealing with communications from data subjects about their rights and the processing of their data.

Facilitating and carrying out audits.

Attending meetings relating to data processing, and co-operating and consulting with authorities where necessary.

There will be a Common Data Breach Notification Requirement of 72 hours

Your organisation will need to have the capability and systems in place to enable it to monitor for, identify and notify the ICO of a data breach within 72 hours of discovering it.