BLOG

What is a data protection impact assessment (DPIA)

Maintaining compliance with privacy laws is critical if you don’t want to be hit by a large fine and want to make the online world a safer place for everyone. GDPR states that DPIAs, or data protection impact assessments must be adhered to.

Updated on:

April 15, 2023

Staying ahead of the game when it comes to data privacy

At Green Arrow Consultancy we are always looking to stay ahead of the game when it comes to data privacy laws, not only in Europe, but we keep on track of what is happening legally worldwide too.

Europe has consistently been ahead of the curve when it comes to data privacy laws, but now the rest of the world is learning about the importance of online security too.

Australia is just one country that is currently looking at how how successful GDPR has been in Europe after a major security breach by a telecommunications company whose customers fell victim to the largest cyber attack the country has ever witnessed. With millions of individuals private data being compromised the Australian government is now looking at overhauling its privacy laws and implementing a system that will allow companies to face financial penalties if they fail to protect their customers data. 

After the EU GDPR (General Data Protection Regulation) was introduced, many industries had to make sweeping changes in how they protect and use consumer data. It was the first legislation of its kind meant to broadly protect consumers’ rights over their data.

Maintaining compliance with privacy laws is critical if you don’t want to be hit by a large fine and want to make the online world a safer place for everyone. GDPR states that DPIAs, or data protection impact assessments must be adhered to.

What is a DPIA?  It is a Data Protection Impact Assessment (DPIA) which is generally a risk assessment audit there to assist companies in identifying any risks to the privacy of their user’s data. It’s one of the key components required to comply with the GDPR.

The UK’s Information Commissioner’s Office (ICO) states that it’s not necessary to know whether the processing is “actually high risk or likely to result in harm” because that’s the job of the DPIA which is to assess. Therefore, what you need to do is look out for red flags and any measurable factors.  To maintain GDPR compliance, you must ensure that they are an integral part of your business's processes of ensuring your customers’ information is protected.

One of the main characteristics of GDPR legislation is the principle of “privacy by design.” This means that technical and company measures to protect consumer data must be built into the business processes which handle that data. As a means of achieving privacy by design, data protection authorities recommend carrying out DPIAs to show any risks and assess how companies are protecting their customer's data.

It is recommended that a DPIA is put into place when a company is creating a new product or service that will collect or process personal data. Conducting a DPIA at the start of the process enables privacy by design and will ensure that privacy requirements are investigated in the first instance, rather than being an afterthought. 

Here are some examples of events that will require a DPIA before processing begins:

• If an HR department is looking at implementing a new system to process employee records

• If an organisation is looking at using biometric data for access control

Whose data you are processing

• What kind of personal information are you looking to access

• A description of the nature, scope, and context of the processing

• The purpose you will use the personal data that you are processing

• Identification and assessment of risks to individuals

• Any measures you will take to minimize and prevent risk to the individuals involved

A DPIA should assess factors like:

• Is it imperative that personal data processing is completed to meet your company’s goals?

• Is it worth the risks involved to achieve your company's desired outcomes?

• Is there a need to contact a supervising authority?

After the DPIA is complete and before processing begins:

• Evaluate the risk to individuals after mitigation and weigh the severity of any impact on them.

• Publish the DPIA with sensitive information redacted.

• Integrate the results of the DPIA into your company’s project plans.

• Track and monitor the project against the DPIA to maintain privacy.

If you would like to learn more about what a DPIA is and if your business needs to carry one out, please contact the team at Green Arrow Consultancy, where we will be happy to look at your business's requirements.