For some organisations, the DPIA is high on the list of GDPR related assignments that need to be sorted. But for many, the DPIA can actually wait – or at least be simplified so that it doesn’t require so many resources. Our Director explains when and how you should carry out a DPIA.
GDPR focuses on protecting privacy with the individual at the centre, not the organisations that collect, process, and store personal data. To ensure that the individual’s private data is processed as little as possible, the GDPR requires some organisations to carry out a so-called Data Protection Impact Assessment (DPIA).
The DPIA should be an analysis of the possible consequences for the individuals involved when an organisation’s processes or systems include personal data. For example, what are the consequences for an individual when a private organisation has surveillance cameras monitoring a public area? Is that consequence fair, or should the activity be stopped?
Jakob Holm Hansen, our co-owner, explains that it’s important to understand what the word ‘consequence’ really means in the everyday running of an organisation.
“In GDPR terms, a ’consequence’ can have different meanings. However, they all involve situations where an organisation’s data processing risks preventing, or limiting, the possibility of exercising your basic human rights,” explains Jakob Holm Hansen.
This could for example mean publishing private information online, breaking human rights, introducing new technology like facial recognition, or an automatic decision-making process, such as a systematic credit assessment.
It is up to each organisation to assess the degree to which an organisation’s data processing can threaten the individual’s privacy in any way. If it doesn’t at all, Jakob Holm Hansen recommends you put the DPIA on hold.
“In reality, only a small number of organisations need to carry out a DPIA. If processing sensitive data is not an essential part of your organisation, we do not recommend conducting a DPIA, at least not to begin with. This is due to DPIAs primarily being for organisations where large-scale data processing is at the centre of their operations.”
If you are going to carry out a DPIA, Jakob Holm Hansen encourages organisations to do a simplified version. There are no formal requirements of a DPIA in the GDPR. There is a basic checklist in the EU guidelines, which you can reference, but the actual process is ultimately up to you.
“To minimise the workload, it’s also possible to share Data Protection Impact Assessments. Organisations which have the same data processes, do not need to carry out individual DPIAs, but can use the same analysis across the organisation,” explains Jakob Holm Hansen.
The GDPR and the ICO, which will enforce the regulation, emphasise proportionality when assessing an organisation’s efforts to comply with the GDPR. If you generally have a sensible compliance program and reasonable security measures considering the type and amount of data processes, then it’s not the level of a DPIA which will be the deciding factor in the case of a security incident.
“Our general advice for organisations which have to carry out a DPIA, is to start with a simplified version that complies with the basic demands of the EU check list. Then you can always expand on it later, once you’ve got other more pressing GDPR measurements in place,” says Jakob Holm Hansen.