GDPR: Data Protection Impact Assessments

  • A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.
  • You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. You can use our screening checklists to help you decide when to do a DPIA.
  • It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
  • Your DPIA must:
    • describe the nature, scope, context and purposes of the processing;
    • assess necessity, proportionality and compliance measures;
    • identify and assess risks to individuals; and
    • identify any additional measures to mitigate those risks.
  • To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
  • You should consult your data protection officer (if you have one) and, where appropriate, individuals and relevant experts. Any processors may also need to assist you.
  • If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.
  • If you are processing for law-enforcement purposes, you should read this alongside the Guide to Law Enforcement Processing.
  • The ICO will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, we may issue a formal warning not to process the data, or ban the processing altogether.
  • A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.
  • You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. You can use our screening checklists to help you decide when to do a DPIA.
  • It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
  • Your DPIA must:
    • describe the nature, scope, context and purposes of the processing;
    • assess necessity, proportionality and compliance measures;
    • identify and assess risks to individuals; and
    • identify any additional measures to mitigate those risks.
  • To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
  • You should consult your data protection officer (if you have one) and, where appropriate, individuals and relevant experts. Any processors may also need to assist you.
  • If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.
  • If you are processing for law-enforcement purposes, you should read this alongside the Guide to Law Enforcement Processing.
  • The ICO will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, we may issue a formal warning not to process the data, or ban the processing altogether.

FIND OUT MORE

 

Personal data breaches

  • The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
  • If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
  • You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
  • You must also keep a record of any personal data breaches, regardless of whether you are required to notify.

FIND OUT MORE