Blog

DPIA

Carrying out a DPIA (Data Protection Impact Assessment) may be obligatory from the moment the GDPR (General Data Protection Regulation) takes effect on May 25 2018. DPIA is an evaluation. With this assessment you make an advance inventory of all privacy risks resulting from intended data processing.

 A DPIA may have to be done because you are going to process personal data on a large scale. This could be a hospital processing patient data. Another possibility is when you’re processing personal data using new technology. A CRM system, for example.

In case of changes that involve a high risk for the processing of personal data a DPIA is a mandatory part of the project. It is crucial to carry out a DPIA as early as possible, so you can immediately take the results into consideration. That way the results of a DPIA early on allow you to take any necessary actions.

WP29

When data processing results in a high privacy risk for those involved, a DPIA is mandatory. The Working Party Article 29 (WP29) is a European Compliance Officer work group. This work group has drawn up criteria to determine the risk of data processing and resulting from that, whether you have to carry out a DPIA. They have also drafted a number of Guidelines on certain terms used in the GDPR that require an explanation. These guidelines for a DPIA can be found at http://ec.europa.eu/newsroom/document.cfm?doc_id=47711.

Advice from the DPO

If your organisation has a Data Protection Officer, the person in charge of the DPIA has to ask the DPO for advice. The report has to include what the DPO has recommended on the personal data processing, for example when a DPIA should be carried out in case of a new CRM system. The DPO has to supervise things such as: where is the data stored? Who has access to the data? These questions have to be taken into account. The Data Protection Officer checks whether these components are present when the DPIA is done. The DPO also makes sure whether the DPIA is actually carried out. Should you ignore the DPO’s advice, it may not be a problem, but you do have to indicate why you have chosen to do so.

Contents of the DPIA

The DPIA is a free format, but does need to contain the following:

  • A systematic description of what you are going to process and the aim of the processing;
  • Why you have to do this data processing. It processing personal data in this manner really necessary for reaching your goal?
  • An assessment of the risks for those involved;
  • Measures taken to minimize those risks.

Results DPIA

You have carried out a DPIA, so what’s next? Should there not be any risks, you can begin your intended data processing. When it turns out that the intended processing does result in a high risk and you do not take any measures, you have to consult the supervisory authority.

Would you like to know more about a DPIA? Or about the GDPR in general? Please feel free to contact us. We can help you safeguard the GDPR.