Data Protection Impact Assessments

Under GDPR there is a greater focus on actively managing the risks around processing personal data. Part of this management is the completion of Data Protection Impact Assessments (DPIAs). These act rather like most risk assessment exercises; encouraging people to look carefully at what they are doing, why they are doing it, the risks involved and controlling those risks to an acceptable level.

What is a DPIA?

Data protection impact assessments (also known as privacy impact assessments or PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.

A DPIA helps us to analyse in detail the processing helping to identify and minimise data protection risks. These are not only the compliance risks but also broader risks to an individual’s rights and freedoms. Following a DPIA a risk may not be eliminated completely but it will help mitigate or reduce the risk and justify any remaining risk.

DPIAs should consider the potential for harm which can be physical, material and non-material. When evaluating the risk both the likelihood and the severity of any impact need to be taken into consideration.

A DPIA may cover more than one operation where they are similar and a DPIA may take several months of to properly conduct with some projects. It should not be viewed as a single point in time exercise but one that needs to be regularly reviewed.

We complete DPIAs for all of our service delivery environments, new service developments and when we are changing the way we work.

Where applicable DPIAs are available on request.