wealth-management-investments

Conducting a Data Protection Impact Assessment

When your organisation collects, stores, or uses personal data, the individuals whose data you are processing are exposed to risks. These risks range from personal data being stolen or inadvertently released and used by criminals to impersonate the individual, to worry being caused to individuals that their data will be used by your organisation for unknown purposes. A Data Protection Impact Assessment (DPIA) describes a process designed to identify risks arising out of the processing of personal data and to minimise these risks as far and as early as possible. DPIAs are important tools for negating risk, and for demonstrating compliance with the GDPR.

This document assumes that a DPIA will be conducted for a defined project, rather than for an organisation’s operations as a whole. A particular function of your organisation, or a programme of changes to your organisation’s operations as a whole, may be viewed as a project.

What are the benefits of conducting a DPIA?

Conducting a DPIA will improve awareness in your organisation of the data protection risks associated with a project. This will help to improve the design of your project and enhance your communication about data privacy risks with relevant stakeholders. Some of the benefits of conducting a DPIA are as follows:

  • Ensuring and demonstrating that your organisation complies with the GDPR and avoids sanctions.

  • Inspiring confidence in the public by improving communications about data protection issues.

  • Ensuring your users are not at risk of their data protection rights being violated.

  • Enabling your organisation to incorporate “data protection by design” into new projects.

  • Reducing operation costs by optimising information flows within a project and eliminating unnecessary data collection and processing.

  • Reducing data protection related risks to your organisation.

  • Reducing the cost and disruption of data protection safeguards by integrating them into project design at an early stage.

How to know if a DPIA should be conducted?

Under the GDPR, a DPIA is mandatory where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”. This is particularly relevant when a new data processing technology is being introduced. In cases where it is not clear whether a DPIA is strictly mandatory, carrying out a DPIA is still good practice and a useful tool to help data controllers comply with data protection law.

Join Our Mailing List

Thank you for your message. It has been sent.
There was an error trying to send your message. Please try again later.

Once Monthly Webinar

Free Webinar Once Per Month

Our free webinar runs once per month and is available to anybody who wants to know more about getting started on the road to data protection compliance.