Carrying out a DPIA (Data Protection Impact Assessment) may be obligatory from the moment the GDPR (General Data Protection Regulation) takes effect on May 25 2018. DPIA is an evaluation. With this assessment you make an advance inventory of all privacy risks resulting from intended data processing.
A DPIA may have to be done because you are going to process personal data on a large scale. This could be a hospital processing patient data. Another possibility is when you’re processing personal data using new technology. A CRM system, for example.
In case of changes that involve a high risk for the processing of personal data a DPIA is a mandatory part of the project. It is crucial to carry out a DPIA as early as possible, so you can immediately take the results into consideration. That way the results of a DPIA early on allow you to take any necessary actions.
When data processing results in a high privacy risk for those involved, a DPIA is mandatory. The Working Party Article 29 (WP29) is a European Compliance Officer work group. This work group has drawn up criteria to determine the risk of data processing and resulting from that, whether you have to carry out a DPIA. They have also drafted a number of Guidelines on certain terms used in the GDPR that require an explanation. These guidelines for a DPIA can be found at http://ec.europa.eu/newsroom/document.cfm?doc_id=47711.
If your organisation has a Data Protection Officer, the person in charge of the DPIA has to ask the DPO for advice. The report has to include what the DPO has recommended on the personal data processing, for example when a DPIA should be carried out in case of a new CRM system. The DPO has to supervise things such as: where is the data stored? Who has access to the data? These questions have to be taken into account. The Data Protection Officer checks whether these components are present when the DPIA is done. The DPO also makes sure whether the DPIA is actually carried out. Should you ignore the DPO’s advice, it may not be a problem, but you do have to indicate why you have chosen to do so.
The DPIA is a free format, but does need to contain the following:
You have carried out a DPIA, so what’s next? Should there not be any risks, you can begin your intended data processing. When it turns out that the intended processing does result in a high risk and you do not take any measures, you have to consult the supervisory authority.
Would you like to know more about a DPIA? Or about the GDPR in general? Please feel free to contact us. We can help you safeguard the GDPR.