Data Protection Impact Assessment
Art. 29 Working Party best described a Data Protection Impact Assessment (DPIA) as “… designed to describe the processing , assess the necessity and proportionality of a processing operation, and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data ( by assessing them and determining the measures to address them.”). In simpler terms, it is a mechanism for identifying, quantifying and mitigating the risks involved in processing personal data. At the heart of the DPIA is its role as a conduit of accountability that works to enable controllers to comply with their requirements under GDPR, while at the same time demonstrating that appropriate measures have been taken to ensure compliance with the Regulation. In essence, the DPIA is one of the building blocks in laying the foundation and demonstrating compliance.
A DPIA is not mandatory for every personal data processing operation. Indeed, the risk-based approach inherent in the GDPR requires only that a DPIA be carried out when the processing, under Art. 35(1) is “likely to result in a high risk to the rights and freedoms of natural persons”. The GDPR does not formally define the concept of a DPIA as such, but its minimal content is specified by Article 35(7). Art. 35 (3) GDPR lists certain cases where a DPIA is mandatory and these include: automated processing and profiling mechanisms used to systematically and extensively evaluate individuals; systematically monitoring a publicly accessible area on a large scale (e.g. CCTV); and processing sensitive data (e.g. health data) on a large scale. However, the article emphasises that the list is not exhaustive.
Therefore, there will be certain “high risk” processing operations that are not on this list, but yet pose a similarly high risk. The constant development of new data processing technologies is likely to increase risks to certain rights and freedoms of natural persons, and demand a mature response through effective DPIAs. A failure to respond to new threats will leave an organisation vulnerable. This is particularly so, because a failure to carry out a DPIA where one is required, or carrying one out in an incorrect manner, leaves a business or an organisation liable for administrative fines.
GDPRXpert has the expertise to carry out a Data Protection Impact Assessment and assess the risks with a view to their mitigation, where total elimination is neither possible nor realistic, so that your business or organisation does not fall liable for large fines and suffer reputational damage. At GDPRXpert we will carry out a full risk assessment based on the GDPR, and in the light of current and changing guidelines or legislation (e.g. from the office of the Data Protection Commission, or Data protection Act 2018). Our objective is to address any deficiencies found and take remedial action. Then we must act to ensure compliance with the Regulation, and to demonstrate that all appropriate measures have been taken. Be proactive, not reactive!
GDPRXpert, based in Carlow, is available nationwide to carry out a Data Protection Impact Assessment. Get in touch today to schedule yours.