Skip to Main Content
Faint pattern of 1s and 0s on top of hexagons

DPIA or not to DPIA, that is the question…

Faint pattern of locks, 1s and 0s on top of hexagons

What is a DPIA?

A DPIA is a Data Protection Impact Assessment. Its objective is to identify and analyse how personal data may be affected by certain actions or activities.

Are DPIAs something new?

DPIAs were not new with the introduction of GDPR, they existed prior, the difference being that the GDPR made DPIAs a requirement if:-

  • Processing involving new technologies is – ‘likely to result in a high risk to the rights and freedoms of natural persons’ GDPR Art. 35(1)

Specifically, if there will be (GDPR Art. 35 (3a-c):

  • ‘systematic and extensive evaluation of personal aspects relating to natural persons… automated processing… profiling…’
  • ‘processing on a large scale of special categories of data…’
  • ‘a systematic monitoring of a publicly accessible area on a large scale’

The GDPR states a short list of potential processing activities that may require a DPIA, the ICO (Information Commissioner’s Office), the UK’s supervisory authority, has on their website more examples of processing ‘likely to result in high risk’.

What does ‘High Risk’ mean?

To establish if something is high risk you must consider the likelihood and severity of any potential harm to individuals.

Is there a need?

Screening questions are key to deciding if a DPIA is necessary. Screening questions should cover:

  • if it’s a new project
  • collection of new information
  • individuals providing information
  • information disclosure
  • using information for an alternative reason from its current use
  • new technology use
  • impactful decisions/action taken against individuals
  • likely to raise privacy concerns
  • intrusive contact with individuals

If any of the above are flagged, then there is most probably a need for a DPIA to be carried out.

The best course of action for any new large-scale processing activity involving personal data, is to carry out a DPIA, even if there is no initial indication of any high risk. Completed assessments demonstrate compliance and create a trust factor in your organisation.

DPIA Key points

  • With all new processing activities your DPO (if you have one) should be involved.
  • Any DPIA with high risk identified should be referred to the ICO for consultation.
  • Completed DPIAs should be kept under review

If you need any assistance with data protection impact assessments (DPIAs) or data protection/GDPR advice in general, please feel free to contact us so we can discuss your needs further.