- Guidance and good advice for carrying out a DPIA
For some organisations, the DPIA is high on the list of GDPR related assignments that need to be sorted. But for many, the DPIA can actually wait – or at least be simplified so that it doesn’t require so many resources. Our Director explains when and how you should carry out a DPIA.
GDPR focuses on protecting privacy with the individual at the centre, not the organisations that collect, process, and store personal data. To ensure that the individual’s private data are processed as little as possible, the GDPR requires some organisations to carry out a so-called Data Protection Impact Assessment (DPIA).
The DPIA should be an analysis of the possible consequences for the individuals involved when an organisation’s processes or systems include personal data. For example: what are the consequences for an individual, when a private organisation has surveillance cameras monitoring a public area? Is that consequence fair, or should the activity be stopped?
A Consequence Can Be Many Things
Jakob Holm Hansen, our CEO, explains that it’s important to understand what the word ‘consequence’ really means in the everyday running of an organisation.
“In GDPR terms, a ’consequence’ can have different meanings. However, they all involve situations where an organisation’s data processing risks preventing, or limiting, the possibility to exercise your basic human rights,” explains Jakob Holm Hansen.
This could for example mean publishing private information online, breaking human rights, introducing new technology like facial recognition, or an automatic decision-making process, such as a systematic credit assessment.
Put The DPIA On Hold
It is up to each organisation to assess the degree to which an organisation’s data processing can threaten the individual’s privacy in any way. If it doesn’t at all, Jakob Holm Hansen recommends you put the DPIA on hold.
“In reality, only a small number of organisations need to carry out a DPIA. If processing sensitive data is not an essential part of your organisation, then we do not recommend carrying out a DPIA, at least not to begin with. This is due to DPIAs primarily being for organisations where large-scale data processing is at the center of their operations.”
Make It As Simple As Possible
If you are going to carry out a DPIA, Jakob Holm Hansen encourages organisations to do a simplified version. There are no formal requirements of a DPIA in the GDPR. There is a basic checklist in the EU guidelines, which you can reference, but the actual process is ultimately up to you.
“To minimise the workload, it’s also possible to share Data Protection Impact Assessments. Organisations which have the same data processes, do not need to carry out individual DPIAs, but can use the same analysis across the organisation,” explains Jakob Holm Hansen.
Create A Balanced Security Level
The GDPR and the ICO, which will enforce the regulation, emphasise proportionality when assessing an organisation’s efforts to comply with the GDPR. If you generally have a sensible compliance program and reasonable security measures considering the type and amount of data processes, then it’s not the level of a DPIA which will be the deciding factor in the case of a security incident.
“Our general advice for organisations which have to carry out a DPIA, is to start with a simplified version that complies with the basic demands of the EU check list. Then you can always expand on it later, once you’ve got other more pressing GDPR measurements in place,” says Jakob Holm Hansen.
Five tips to keep in mind when carrying out a DPIA
- Figure out whether you really need to carry out a DPIA. Many organisations simply do not.
- If you are going to carry out a DPIA, then start with a simplified version which fulfils the basic demands in the EU checklist. You can always expand later.
- When carrying out a DPIA, get an overview of your registrations that might affect the individuals. Assess the consequence with a number on an objective scale from 1-4, so that you can compare the level each year.
- Assess whether you can take action which limits the risks for the individuals – for example up your network security levels, encrypt your hard drive, change your security policies etc.
- Assess continuously, and no less than once annually, whether your security level matches the level of impact for the individuals involved. If you have a DPO, they should be involved in this assessment.