The Information Commissioner‘s Office has updated the section in the GDPR on Data ProtectionImpact Assessments (DPIAs), focussing on risk, accountability and data protection by design. Article 35(4) is also up for public consultation until 13th April.
Data Protection Impact Assessments or DPIAs, which will be mandatory to complete in some case, are a new obligation for data processors under the General Data Protection Regulation.
When processing data that is ‘likely to result in high risk to individuals’ interests’ a DPIA will need to be conducted to determine the level of risk. If the level is high, then the Information Commissioner‘s Office requests that you consult them directly.
If you already carry out Privacy Impact Assessments (PIAs), you will need to review the process before 25th May 2018 to ensure it complies with the GDPR updates. Any organisation not yet carrying out Privacy Impact Assessments should take the time to design DPIAs and include them in their processes.
This assessment, brought about by the GDPR, is a process that aims to help you identify and minimise (but not necessarily eradicate) any risk to the protection of data that you and your organisation is processing.
The ICO says that your Data Protection Impact Assessment must:
The main purpose of the assessment is to protect high-risk data, but it also helps you to demonstrate your commitment to information security, and help to build trust with individuals. Compliance risk is of high importance, but a broader risk to the rights and freedoms (including social or economic disadvantage) should also be considered in the Data Protection Impact Assessment. This includes the ‘potential for harm – whether physical, material or non-material – to individuals or to society at large.’
As we touched upon earlier, the DPIA needs to be carried out before you process data that could result in high risk. This is to assess the level of the risk and identify factors that could impact individuals. The GDPR says you should conduct a DPIA if you:
The ICO has published a high-level guide on the planning of your DPIA, shown here in the graphic, but you can tailor the process to fit in with your organisation. Remember, this should become one of your organisation’s core processes, so it needs to work for you. There are also European guidelines for planning DPIAs that you may wish to follow.
The Information Commissioner‘s Office has opened for public consultation their draft guidance for Data Protection Impact Assessments. Read the details and have your say over on the ICO website.