Under certain circumstances organisation are required to carry out a Data Protection Impact Assessment (DPIA).
A DPIA is essentially a risk management process. It helps you identify, analyse and minimise the data protection risks of a project or new technology. If carried out at the start of a project it can help you embed data protection obligations into the project at an early stage, saving time and cost.
Here are some pointers:
- Before anything else, you need to establish whether a DPIA is required in the first place.
- If a preliminary assessment concludes that a DPIA is mandatory, then the GDPR requirements should be followed in carrying out the DPIA
- Even if the preliminary assessment concludes that a DPIA is not mandatory, it makes sense to undertake a risk assessment at the start of any project. That way data protection requirements can be built into the project plan, bringing clarity to requirements and saving cost and time.
- It’s critical to document your DPIAs and have them ready to submit to regulators upon request. Public bodies can also be asked to release them under Freedom of Information legislation. As we have also seen with the release of the Department of Health Covid Tracker App, a good DPIA can go a long way toward building trust in your product or service among your user or customer base.
When done well, DPIAs can revolutionise a culture of privacy in an organisation. By creating appropriate, clear templates and training staff members involved in DPIAs so that they understand the process well, people become more aware of their data protection obligations.
Pembroke Privacy can guide you through the entire DPIA process, either working with your in-house team or as outsourced support. Click here to read more or fill out the form below and one of our consultants will get in touch.